Re: Internet Explorer 6 Meta Refresh Parsing Weakness

[Moritz Naumann <info () moritz-naumann com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

and thanks for your opinion.

tuytumadre () att net schrieb:
> Why should Microsoft be accountable for the mistakes of webmasters? 

It is not. But in my opinion, the producer of the most used web browser
worldwide - independant of its name, organization type or history -
should consider to improve the parsing of its web browser so that it
behaves in a way that conforms with standards, or, if there are none
defined (and that's the case here), the way people expect it. And you
cannot neccessarily say that if you have two 'URL=' statements, the
average web developer would expect it to interpret the second one instead of
- - interpreting the whole string and attempt to browse to the URL or
return a syntax error
- - interpreting only the first 'URL=' statement

> Have you even tested any of ther other browsers? 

I tested it on Internet Explorer 6 SP1 on Win 98 SE, IE 6 SP2 on XP SP2,
Firefox 1.0.6, Deerpark Alpha 2, Opera 8.02.1272 and Konqueror 3.3.2
(all of them on on Debian GNU/Linux 3.1).

All the browsers I tested - except IE - interpreted the full string and
returned either a syntax error or tried to load the content stored at
the URI contained in the string.

Unluckily I forgot to include the URL of the test I set up. You can test
your preferred browser at
http://moritz-naumann.com/adv/0001/ie6meta/poc/index.html

> Even if you have, a webmaster should indeed be responsible for
> blindly redirecting a user to a url supplied in input. This isn't an
> Internet Explorer mistake - it is a webmaster mistake, and quite a
> silly one at that.

I totally agree with you.

However, in my example, it was not done totally blindly, some (though
much too little) filtering of user input was done. And several web
applications I know handle it this way. It is a common technique to get
rid of Referer HTTP headers which may contain session IDs when
forwarding users to an external site. I am not saying this is neccessary
nor a good way to do it, I just say it is done this way in several web
applications.

I think this is a minor issue, and I think that Microsoft is only
partially responsible to fix this behaviour, nevertheless, they are. And
I wanted to get the word out on this to warn web application developers
about this unexpected and - in combination with badly coded web
applications - possibly harmful behaviour. So I did.

> Btw, if this message appears in your mailboxes twice, it's because I
> sent it twice (the first time I received a DNS failure message).

No problem. Better two than none. :)

Regards,
Moritz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDBH8yn6GkvSd/BgwRAg3cAJ48BwsniHYs8RYMVB4dEUPLt0IVFACcDLwq
RICOUdZIIbKTrL6Z4tQMOs4=
=7dmX
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/