Vulnerability Development mailing list archives
Re: Plain text files in internet explorer
From: Eric Rostetter <eric.rostetter () physics utexas edu>
Date: Mon, 2 Sep 2002 22:11:23 -0500
Quoting Dan Kaminsky <dan () doxpara com>:
Mozilla will occasionally render downloads from a scripted backend as plain text. It's really pretty annoying, correct behavior or not.
Granted. And the solution is to either fix the backend (best) or prompt the user if they would like to take a non-standard action.
All things being equal, I'll go with correct behavior being first that which matches what is presented to the user in the title bar, using standard (Microsoftian!) in-band filename notation, then if nothing usable is there, use the MIME-type as a hint. In such a circumstance:
This is just plain wrong. Just because it works for microsoft users doesn't mean it works for the rest of the world. At least until microsoft really does take over the world and the rest of us go away.
foobar.txt is always read as text.
Okay. So what is foobar.text read as?
foobar.html is always read as html.
But what if I don't want it read as html?
foobar.php and foobar.php, which really *should* be foobar.html because -- dear god, they contain html -- can use the MIME-type to hint themselves into HTML parsing.
But what if -- dear god -- it contains php and not html?
foobar.gif is always read as gif.
Okay.
a javascript virus is always obviously either javascript(foo.js) or parsed as a gif(foo.gif).
But what if I don't want it parsed at all?
Importantly, I cannot concieve of a circumstance in which this can be described incorrect behavior.
Okay, here's the crux of the problem. Microsoft MSIE thinks that when a web page wants to download a file called sample.com it must be an Microsoft (DOS) executable and tries to execute it as such, even though I told it that it was a text/plain or application/octet-stream file. The problem is, it is really a OpenVMS command file, which is a text/plain file, or at best an OpenVMS executable, and Microsoft/MSIE file. So executing it (which MSIE does) is not only inappropriate/undesirable, but it could be totally disasterous! Same for Microsoft thinking that *.doc is a word document, when other operating systems have been using *.doc for other purposes for years. Same for *.dir, *.exe, etc. Point is, not all OS platforms use the same file extensions, so if one decides to force its file extensions on the user, it will cause problems with people who use multiple OS platforms.
to view the previous format, not the latter. GIFs can't exploit your system. Flash files can, just like any executable.
That is pure fud.
We're seeing a reasonably steady stream of "x posing as y to get around z restriction" attacks made available specifically because filetype handling is being hidden behind a user-opaque format standard that places the type of a file far outside the file itself.
So? How is this different that the exploits/viruses/restriction-bypasses by using filename extensions (like something.xls.txt or something.exe.txt)?
I expect the exploit stream will eventually lead to MIME-type deprecation.
I seriously doubt it. And it surely won't be replaced by file extensions which suffer most all the same problems and additional problems also.
Yours Truly, Dan Kaminsky DoxPara Research http://www.doxpara.com
-- Eric Rostetter The Department of Physics The University of Texas at Austin "TAD (Technology Attachment Disorder) is an unshakable, impractical devotion to a brand, platform, product line, or programming language. It's relatively harmless among the rank and file, but when management is afflicted the damage can be measured in dollars. It's also contagious -- someone with sufficient political clout can infect an entire organization." --"Enterprise Strategies" columnist Tom Yager.
Current thread:
- Re: Plain text files in internet explorer, (continued)
- Re: Plain text files in internet explorer Dan Kaminsky (Sep 03)
- Re: Plain text files in internet explorer Helmut Springer (Sep 03)
- Re: Plain text files in internet explorer Marc Slemko (Sep 03)
- Re: Plain text files in internet explorer Daniel Newby (Sep 04)
- GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer] Roland Postle (Sep 02)
- RE: GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer] Jason Coombs (Sep 03)
- Re: GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer] Gerhard den Hollander (Sep 03)
- RE: GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer] Dom De Vitto (Sep 03)
- Re: GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer] Blue Boar (Sep 03)
- Re: Plain text files in internet explorer Bernie Cosell (Sep 02)
- Re: Plain text files in internet explorer Eric Rostetter (Sep 03)
- Re: Plain text files in internet explorer Bill Weiss (Sep 02)
- Re: Plain text files in internet explorer Pierre-Yves Bonnetain (Sep 06)
- RE: Plain text files in internet explorer Dom De Vitto (Sep 07)