Re: Microsoft IE cookies readable via about: URLS

From: Clover Andrew (aclover@1value.com)
Date: 11/12/01


Subject: Re: Microsoft IE cookies readable via about: URLS
Date: Mon, 12 Nov 2001 16:14:43 +0100
Message-ID: <D58B0195B58937489E89124469E57CA249DA09@EX1.1value.com>
From: "Clover Andrew" <aclover@1value.com>
To: <bugtraq@securityfocus.com>

Nick FitzGerald <nick@virus-l.demon.co.uk> wrote:

> This was hinted at in Andrew Clover's message of 19 October

Yes. I noted that "IE incorrectly applies HTTP-style URL parsing to
'about:' URLs", from which I really should have investigated further to
find that in fact it doesn't recognise the difference between http: and
about: at all in the case of cookie access security. My bad - having
found what I considered enough of a hole to require patching, I didn't
go further and find its full potential.

> That's interesting, given they seemed to think there was no
> problem (despite the flaw being obvious to the rest of the
> world) back when Andrew mentioned it...

Well, my exploit was less serious than this, but it was indicative of
brokenness, and I would have expected the IE team to at least
investigate. Instead, Microsoft seemed more interested in arguing
Mitigating Factors. It would be easiest to simply remove the
about-unknown-page-echoing-"feature", since it is of no legitimate use
whatsoever (or at least enforce HTML-escaping on it). I do not expect
the patch for Jouko's more serious exploit to do so, when it's released,
but there's always hope.

> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
> Settings\ZoneMap\ProtocolDefaults\about = 4

Indeed, I've been using this a while with no problems, recommend it.

-- 
Andrew Clover
Technical Consultant
1VALUE.com AG



Relevant Pages

  • Re: Fax Modems
    ... as I suggested Andrew, you certainly know your fax facts. ... 'mainpine zetafax' on google. ... the weaknesses in Microsoft Fax. ... Mainpine's developers are actively involved in the following open projects ...
    (microsoft.public.windows.server.sbs)
  • RE: Bogus file access error by ASP.NET
    ... Andrew, ... 2002 Microsoft Corporation. ... | Content-Class: urn:content-classes:message ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: S/MIME: alternative message for secure email?
    ... Hello Andrew, ... 2003 Microsoft Corporation. ... | Subject: S/MIME: alternative message for secure email? ... I would prefer to show a custom message ...
    (microsoft.public.platformsdk.security)
  • Re: Sender ID Framework SPF Record Wizard
    ... Microsoft had one similar to SP called SenderID ... Andrew> possibility. ... Microsoft for adopting SPF? ... of complaining about it. ...
    (microsoft.public.windows.server.dns)
  • Re: That nice old ISAPI to scramble ASP scripts?
    ... Thanks, Andrew! ... > Try searchine with your favorite search engine. ... > Microsoft PSS Security ... The magic thing I'm talking abot is an ISAPI extention plus an ...
    (microsoft.public.inetserver.iis.security)