Bugtraq mailing list archives
Re: Microsoft IE cookies readable via about: URLS
From: "Clover Andrew" <aclover () 1value com>
Date: Mon, 12 Nov 2001 16:14:43 +0100
Nick FitzGerald <nick () virus-l demon co uk> wrote:
This was hinted at in Andrew Clover's message of 19 October
Yes. I noted that "IE incorrectly applies HTTP-style URL parsing to 'about:' URLs", from which I really should have investigated further to find that in fact it doesn't recognise the difference between http: and about: at all in the case of cookie access security. My bad - having found what I considered enough of a hole to require patching, I didn't go further and find its full potential.
That's interesting, given they seemed to think there was no problem (despite the flaw being obvious to the rest of the world) back when Andrew mentioned it...
Well, my exploit was less serious than this, but it was indicative of brokenness, and I would have expected the IE team to at least investigate. Instead, Microsoft seemed more interested in arguing Mitigating Factors. It would be easiest to simply remove the about-unknown-page-echoing-"feature", since it is of no legitimate use whatsoever (or at least enforce HTML-escaping on it). I do not expect the patch for Jouko's more serious exploit to do so, when it's released, but there's always hope.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\about = 4
Indeed, I've been using this a while with no problems, recommend it. -- Andrew Clover Technical Consultant 1VALUE.com AG
Current thread:
- Microsoft IE cookies readable via about: URLS Jouko Pynnonen (Nov 08)
- Re: Microsoft IE cookies readable via about: URLS Nick FitzGerald (Nov 09)
- Re: Microsoft IE cookies readable via about: URLS Jeffrey W. Dronenburg (Nov 10)
- RE: Microsoft IE cookies readable via about: URLS Oliver Petruzel (Nov 12)
- Re: Microsoft IE cookies readable via about: URLS Thomas Reinke (Nov 12)
- Re: Microsoft IE cookies readable via about: URLS Valdis . Kletnieks (Nov 12)
- RE: Microsoft IE cookies readable via about: URLS Per Arne Johansson (Nov 12)
- <Possible follow-ups>
- Re: Microsoft IE cookies readable via about: URLS Clover Andrew (Nov 12)
- Re: Microsoft IE cookies readable via about: URLS Kristian Strickland (Nov 14)
- Re: Microsoft IE cookies readable via about: URLS Peter W (Nov 15)
- RE: Microsoft IE cookies readable via about: URLS Kristian Strickland (Nov 15)
- Re: Microsoft IE cookies readable via about: URLS Nick FitzGerald (Nov 09)