Full Disclosure mailing list archives
Re: Internet Explorer 6 Meta Refresh Parsing Weakness
From: Moritz Naumann <info () moritz-naumann com>
Date: Thu, 18 Aug 2005 14:29:39 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul, and thanks for your opinion. tuytumadre () att net schrieb:
Why should Microsoft be accountable for the mistakes of webmasters?
It is not. But in my opinion, the producer of the most used web browser worldwide - independant of its name, organization type or history - should consider to improve the parsing of its web browser so that it behaves in a way that conforms with standards, or, if there are none defined (and that's the case here), the way people expect it. And you cannot neccessarily say that if you have two 'URL=' statements, the average web developer would expect it to interpret the second one instead of - - interpreting the whole string and attempt to browse to the URL or return a syntax error - - interpreting only the first 'URL=' statement
Have you even tested any of ther other browsers?
I tested it on Internet Explorer 6 SP1 on Win 98 SE, IE 6 SP2 on XP SP2, Firefox 1.0.6, Deerpark Alpha 2, Opera 8.02.1272 and Konqueror 3.3.2 (all of them on on Debian GNU/Linux 3.1). All the browsers I tested - except IE - interpreted the full string and returned either a syntax error or tried to load the content stored at the URI contained in the string. Unluckily I forgot to include the URL of the test I set up. You can test your preferred browser at http://moritz-naumann.com/adv/0001/ie6meta/poc/index.html
Even if you have, a webmaster should indeed be responsible for blindly redirecting a user to a url supplied in input. This isn't an Internet Explorer mistake - it is a webmaster mistake, and quite a silly one at that.
I totally agree with you. However, in my example, it was not done totally blindly, some (though much too little) filtering of user input was done. And several web applications I know handle it this way. It is a common technique to get rid of Referer HTTP headers which may contain session IDs when forwarding users to an external site. I am not saying this is neccessary nor a good way to do it, I just say it is done this way in several web applications. I think this is a minor issue, and I think that Microsoft is only partially responsible to fix this behaviour, nevertheless, they are. And I wanted to get the word out on this to warn web application developers about this unexpected and - in combination with badly coded web applications - possibly harmful behaviour. So I did.
Btw, if this message appears in your mailboxes twice, it's because I sent it twice (the first time I received a DNS failure message).
No problem. Better two than none. :) Regards, Moritz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDBH8yn6GkvSd/BgwRAg3cAJ48BwsniHYs8RYMVB4dEUPLt0IVFACcDLwq RICOUdZIIbKTrL6Z4tQMOs4= =7dmX -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Internet Explorer 6 Meta Refresh Parsing Weakness tuytumadre (Aug 17)
- Re: Internet Explorer 6 Meta Refresh Parsing Weakness Moritz Naumann (Aug 19)