Bugtraq mailing list archives
RE: Microsoft IE cookies readable via about: URLS
From: "Per Arne Johansson" <perarne () johansson com>
Date: Mon, 12 Nov 2001 14:06:35 +0100
-----Original Message----- From: Nick FitzGerald [mailto:nick () virus-l demon co uk] Sent: Friday, November 09, 2001 3:51 PM To: bugtraq () securityfocus com Cc: Jouko Pynnonen Subject: Re: Microsoft IE cookies readable via about: URLS
A better workaround (assuming that you feel cookies are "relatively useful" and would rather not turn them off) is to put about: URLs into the Restricted Sites zone, as detailed in Andrew Clover's followup to his own post:
http://www.securityfocus.com/archive/1/222552
In short, create a DWORD value named "about" under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\ProtocolDefaults
and set it to 4.
I just tested this against your test page and with the above value set,
the test tells me "No cookies found for site...".
Interestingly, this registry change seems to have almost immediate
effect -- i.e. it did not require a restart or >>>>>logout/login or even
an IE exit/restart (I did this on Win2K) but occasionally, when running the test page over and over alternating back and forward between having the above value set and not present (the default), the page would work as if the registry value had not yet been changed.
I have tried this workaround it works as described and without a reboot. However it breaks certain applications that use the "Internet Explorer Server Window" most notably Yahoo Instant messanger 5. I does not affect versions 3 or 4. My version of YAIM is 5,0,0,1036. The effect in short the "Internet Explorer Server Window" remains blank not showing the IM texts. This might be due to poor design om yahoos part, but I am posting it as it may effect other applications aswell and might not be a good workaround for all. Best Regards, Per Arne Johansson
Current thread:
- Microsoft IE cookies readable via about: URLS Jouko Pynnonen (Nov 08)
- Re: Microsoft IE cookies readable via about: URLS Nick FitzGerald (Nov 09)
- Re: Microsoft IE cookies readable via about: URLS Jeffrey W. Dronenburg (Nov 10)
- RE: Microsoft IE cookies readable via about: URLS Oliver Petruzel (Nov 12)
- Re: Microsoft IE cookies readable via about: URLS Thomas Reinke (Nov 12)
- Re: Microsoft IE cookies readable via about: URLS Valdis . Kletnieks (Nov 12)
- RE: Microsoft IE cookies readable via about: URLS Per Arne Johansson (Nov 12)
- <Possible follow-ups>
- Re: Microsoft IE cookies readable via about: URLS Clover Andrew (Nov 12)
- Re: Microsoft IE cookies readable via about: URLS Kristian Strickland (Nov 14)
- Re: Microsoft IE cookies readable via about: URLS Peter W (Nov 15)
- RE: Microsoft IE cookies readable via about: URLS Kristian Strickland (Nov 15)
- Re: Microsoft IE cookies readable via about: URLS Nick FitzGerald (Nov 09)