Bugtraq mailing list archives
Re: TXT or HTML -- IE NEW BUG: not that new, but...
From: eric () CoLi Uni-SB DE
Date: Sat, 28 Jul 2001 07:25:41 +0200 (MET DST)
Hi, I believe this has been discussed months ago (opening files from the web using magic content instead of mime type and extension or something), could anybody dig up the thread? I think this was about some MSIE or Outlook module, and of course, it was intended to be a feature ;-) But C Bird is right, we might be underestimating the thread, consider recent revival of ".." and c:\con\con issues, worms exploiting that and weak (unpatched, only 1 char relevant) network neighbourhood passwords, and lots of other "classic" bugs. I guess most users have not patched any of them, not even stuff like Outlook file name overflows and similar. Looking at Sircam and the like fooling lots of users with file.jpg.exe due to the default never show ext behaviour, the MSIE automanic (hu? Did anybody say automatic?) file type detection "re-exploited" by C Bird is yet another bad move in trying to add ease of use while in fact adding security holes. A similar problem occurs with Word and other Office applications, as described WAY back in spring 2000:
Date: Wed, 8 Mar 2000 10:50:54 +0100 From: Eric Chien <ecchien () YAHOO COM> Subject: Re: NAI/McAfee Viruscan Engine does not scan .VBS files by default
...
While this is a good timely reminder, this is nothing new and only addresses a small point of the overall problem. One should always scan ALL files. This is more because of Microsoft Word documents (Excel, etc. too) which can have ANY extension and automagically spawn Word instead of prompting you with a 'open this with?' dialog. (The technical fine detail is this is the case if the extension is not already associated with some other program).
... Cheers, Eric Auer
Current thread:
- TXT or HTML? -- IE NEW BUG cr4zybird (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG Stephen Cope (Jul 28)
- Re: TXT or HTML -- IE NEW BUG: not that new, but... eric (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG Dylan Griffiths (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG bjarne bingo (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG Nathan Neulinger (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG Magnus Bodin (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Justin Nelson (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Aaron Whiteman (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Justin Nelson (Jul 30)
- Re: TXT or HTML? -- IE NEW BUG Magnus Bodin (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Fred Oliveira (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG Tom Laermans (Jul 29)
- RE: TXT or HTML? -- IE NEW BUG arivanov (Jul 28)