Re: MSIE 5 favicon bug

[lists () plasmic com (Jason)]

Aloha.

    Below is an exact copy of the information found on the web site Mr.
Veloso provided us with:

"The request for the favicon.ico file is first done on the same path of the
current URL. If the file is not found, MSIE 5 will backup one directory in
the directory hierarchy and try again. It will do this until it finds the
file or reaches the web server root (e.g. if you try to bookmark this page,
MSIE 5 will look for favicon.ico in
http://web.cip.com.br/flaviovs/sec/favicon/,
http://web.cip.com.br/flaviovs/sec/, http://web.cip.com.br/flaviovs/ and
http://web.cip.com.br/)."

    My experience is based on the following platform information:

        Windows 98 with all available updates (3717
        MSIE 5: 5.00.2014.0216IC 128-bit

    Contrary to the information given at the cited URL, my best attempts at
recreating this alleged phenomenon have been futile. In addition, I am
fairly confident, based on every log analysis I have performed, that this is
wrong.

    This is most obvious by creating a large hierarchy of directories like
the following URL (note: there is nothing at this URL but an empty dir):

http://www.plasmic.com/~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/

    I supposed that if what Flavio asserted was true, then IE5 would bombard
the server with a plethora of requests for 'favicon.ico' when I added it to
my 'Favorites'.

    Here is a sample of what was generated in my apache log file:

    I open up the apache-generated directory listing web page:
"GET /~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/ HTTP/1.1" 200
733

    After bookmarking the site, IE tries to find favicon.ico in the
_current_ directory:
"GET /~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/favicon.ico
HTTP/1.1" 404 8999

    Directly thereafter (probably virtually simultaneous connections), IE5
attempts to retrieve favicon.ico from the _root_ directory of my web server:
"GET /favicon.ico HTTP/1.1" 404 330

    There are no requests in between the ones shown above.

    Implications:

- This vulnerability may only be exploited by the owner of the current
directory or the owner of the document root. This does not diminish its core
significance, but is definitely a fundamental point in the understanding of
this bug.

- Adding 'Favorites' does not generate as much traffic or as many requests
as originally thought.


Regards,
Jason Sloderbeck


+===========================-------------------- - -  -  -   -    -
| University of Missouri/Kansas City - Computer Science/Telecom
|  hom: 816/452.8937  e: jsloder () cstp umkc edu  url: www.umkc.edu
| Plasmic Computer Systems - Chief Information Officer
|  off: 816/292.2870  e: jason () plasmic com      url: www.plasmic.com
| Midwest Internet Services - Sr. Systems Administrator
|  cel: 816/820.9279  e: sloderbeck () mwis net    url: www.mwis.net
+===========================-------------------- - -  -  -   -    -

----- Original Message -----
From: Flavio Veloso <flaviovs () CENTROIN COM BR>
To: <BUGTRAQ () netspace org>
Sent: Monday, May 03, 1999 2:06 PM
Subject: MSIE 5 favicon bug


> Hi folks.
>
> When MSIE 5 users bookmark a page, the browser will request a file
> named "favicon.ico" which is to be used in the "Favorites" menu of the
> browser. Unfortunately MSIE 5 doesn't check the file integrity and
> crash if faced with a bad-formed icon file.
>
> Upon crashing the stack gets filled with information from the icon
> file itself, so it may be possible to run code on the client machine,
> tough I didn't test it.
>
> Microsoft was notified twice about this issue via the "Report a Bug"
> form on their web site. The first time about one month ago, the second
> time about two weeks ago. I didn't receive back any reply.
>
> More information about this bug (plus another privacy issue about the
> "favicon.ico" file) is available at
> http://web.cip.com.br/flaviovs/sec/favicon/index.html.
>
> --
> Flavio