RE: TXT or HTML? -- IE NEW BUG

From: arivanov@sigsegv.cx
Date: 07/28/01 

Message-ID: <XFMail.20010728094004.arivanov@sigsegv.cx>
Date: Sat, 28 Jul 2001 09:40:04 +0100 (BST)
From: arivanov@sigsegv.cx
To: cr4zybird <cr4zybird@hotmail.com>
Subject: RE: TXT or HTML? -- IE NEW BUG

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

        I may be terribly mistaken, but I think that this to some extent has
been discussed previously on Bugtraq. I cannot get through to the securityfocus
web site all morning so pls excuse me for not quoting the exact post where this
was mentioned the first time.

        Quoting from memory, so excuse me for any discrepancies with the
original post (it was more than 6 months ago): IE ignores not just the
extension. If I recall correctly mime types supplied by a server are happily
ignored as well.

        What happens is IE looks at the first 200 bytes or so and desides based
on "magic" first, looks the mime type/extension later. So it is not just HTML.

On 27-Jul-2001 cr4zybird wrote:
> TXT or HTML? -- IE NEW BUG
> vulnerable programs:
> IE4 ,IE5 ,IE5,IE6 ,Microsoft Word ,Microsoft
> Excel,Microsoft PowerPoint,
> Tencent explorer (I've tested all the versions of IE that
> i can find, they
> are all vulnerable)
>
> description:
> IE doesn't recognize the extensions of files, which
> may contain some html
> code.
> Write a HTML file on NOTEPAD. save it as *.txt.
> upload to any server.then
> use IE to visit this page.Found: IE excuted the HTML
> code which contained in

[snip]

Brgds,

- ----------------------------------
Anton R. Ivanov
ARI2-RIPE
Today's deliverables will have to be delayed because:

Borg implants are failing

- ----------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7Ynpk4QelTkllq+4RAo1AAKDXrjbc1zma9B05U3qJ+pIP3YkNlwCgyPTl
jAvrcdTryfWap7kVP3jsoas=
=qDAB
-----END PGP SIGNATURE-----

Relevant Pages

  • Re: ASP.NET Internationalization bug?
    ... The Microsoft team has confirmed the bug. ... For every programming team that works like you do, ... I don't see too clearly the purpose of declaring a single language ... appropriate as HTML and XHTML standards. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: ASP.NET Internationalization bug?
    ... What you have been saying all along is that code-behind is "better". ... For every programming team that works like you do, ... I'll be looking forward to the response which your bug filing prompts from the VS Team. ... I have already found, first-hand, that the better of the major search engines use the cc TLD *and* the HTML ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: ASP.NET Internationalization bug?
    ... The Microsoft team has confirmed the bug. ... For every programming team that works like you do, ... My use of language and culture in ASP.Net is a bit different than most. ... I have already found, first-hand, that the better of the major search engines use the cc TLD *and* the HTML ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: ASP.NET Internationalization bug?
    ... The Microsoft team has confirmed the bug. ... For every programming team that works like you do, ... I don't see too clearly the purpose of declaring a single ... which is not as appropriate as HTML and XHTML ...
    (microsoft.public.dotnet.framework.aspnet)
  • CTAN package upgrade: gellmu, version 0.8.2
    ... small improvements as well as bug fixes. ... provides a way to write in an XML document type of one's choice using ... classical HTML (suitable for terminal ... Tables and Tabular now have functioning p cells. ...
    (comp.text.tex)