Bugtraq mailing list archives
Re: MSIE 5 favicon bug
From: lists () plasmic com (Jason)
Date: Fri, 7 May 1999 17:45:18 -0500
Aloha. Below is an exact copy of the information found on the web site Mr. Veloso provided us with: "The request for the favicon.ico file is first done on the same path of the current URL. If the file is not found, MSIE 5 will backup one directory in the directory hierarchy and try again. It will do this until it finds the file or reaches the web server root (e.g. if you try to bookmark this page, MSIE 5 will look for favicon.ico in http://web.cip.com.br/flaviovs/sec/favicon/, http://web.cip.com.br/flaviovs/sec/, http://web.cip.com.br/flaviovs/ and http://web.cip.com.br/)." My experience is based on the following platform information: Windows 98 with all available updates (3717 MSIE 5: 5.00.2014.0216IC 128-bit Contrary to the information given at the cited URL, my best attempts at recreating this alleged phenomenon have been futile. In addition, I am fairly confident, based on every log analysis I have performed, that this is wrong. This is most obvious by creating a large hierarchy of directories like the following URL (note: there is nothing at this URL but an empty dir): http://www.plasmic.com/~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/ I supposed that if what Flavio asserted was true, then IE5 would bombard the server with a plethora of requests for 'favicon.ico' when I added it to my 'Favorites'. Here is a sample of what was generated in my apache log file: I open up the apache-generated directory listing web page: "GET /~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/ HTTP/1.1" 200 733 After bookmarking the site, IE tries to find favicon.ico in the _current_ directory: "GET /~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/favicon.ico HTTP/1.1" 404 8999 Directly thereafter (probably virtually simultaneous connections), IE5 attempts to retrieve favicon.ico from the _root_ directory of my web server: "GET /favicon.ico HTTP/1.1" 404 330 There are no requests in between the ones shown above. Implications: - This vulnerability may only be exploited by the owner of the current directory or the owner of the document root. This does not diminish its core significance, but is definitely a fundamental point in the understanding of this bug. - Adding 'Favorites' does not generate as much traffic or as many requests as originally thought. Regards, Jason Sloderbeck +===========================-------------------- - - - - - - | University of Missouri/Kansas City - Computer Science/Telecom | hom: 816/452.8937 e: jsloder () cstp umkc edu url: www.umkc.edu | Plasmic Computer Systems - Chief Information Officer | off: 816/292.2870 e: jason () plasmic com url: www.plasmic.com | Midwest Internet Services - Sr. Systems Administrator | cel: 816/820.9279 e: sloderbeck () mwis net url: www.mwis.net +===========================-------------------- - - - - - - ----- Original Message ----- From: Flavio Veloso <flaviovs () CENTROIN COM BR> To: <BUGTRAQ () netspace org> Sent: Monday, May 03, 1999 2:06 PM Subject: MSIE 5 favicon bug
Hi folks. When MSIE 5 users bookmark a page, the browser will request a file named "favicon.ico" which is to be used in the "Favorites" menu of the browser. Unfortunately MSIE 5 doesn't check the file integrity and crash if faced with a bad-formed icon file. Upon crashing the stack gets filled with information from the icon file itself, so it may be possible to run code on the client machine, tough I didn't test it. Microsoft was notified twice about this issue via the "Report a Bug" form on their web site. The first time about one month ago, the second time about two weeks ago. I didn't receive back any reply. More information about this bug (plus another privacy issue about the "favicon.ico" file) is available at http://web.cip.com.br/flaviovs/sec/favicon/index.html. -- Flavio
Current thread:
- Re: MSIE 5 favicon bug Kurt Seifried (May 03)
- AS/400 Joachim Larsson (May 03)
- Re: AS/400 Ryan Permeh (May 05)
- Re: MSIE 5 favicon bug Flavio Veloso (May 04)
- <Possible follow-ups>
- Re: MSIE 5 favicon bug Ted.Buchan.330895 () ARMY DEFENCE GOV AU (May 04)
- Re: MSIE 5 favicon bug Chris DeRose (May 06)
- Re: MSIE 5 favicon bug Cliff Rowley (May 07)
- Microsoft Security Bulletin (MS99-013) aleph1 () UNDERGROUND ORG (May 07)
- Re: MSIE 5 favicon bug Chris DeRose (May 06)
- Re: MSIE 5 favicon bug Lee Chia Ling (May 06)
- Re: MSIE 5 favicon bug Jason (May 07)
- Re: MSIE 5 favicon bug Flavio Veloso (May 07)
- Re: MSIE 5 favicon bug blake.mitchell () AUTODESK COM (May 07)
- AS/400 Joachim Larsson (May 03)