Re: for those that think jpgs are "safe"
From: dkg_ctc (dontknowguilt_at_hotmail.com)
Date: 11/12/03
- Next message: dkg_ctc: "Re: just wondering"
- Previous message: dkg_ctc: "Re: for those that think jpgs are "safe""
- In reply to: Colonel Flagg: "Re: for those that think jpgs are "safe""
- Next in thread: Colonel Flagg: "Re: for those that think jpgs are "safe""
- Reply: Colonel Flagg: "Re: for those that think jpgs are "safe""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 12 Nov 2003 17:45:01 GMT
Colonel Flagg <colonel_flagg@NOSOUPFORJ00internetwarzone.org> wrote
in news:MPG.1a1bace08f4bda60989ba8@news.charter.net:
> In article <Xns9430E668E76Ddkgctc@130.133.1.4>,
> dontknowguilt@hotmail.com says...
>> Colonel Flagg <colonel_flagg@NOSOUPFORJ00internetwarzone.org>
>> wrote in news:MPG.1a1b3c8c389dce56989b9c@news.charter.net:
>>
>> > open this in IE:
>> >
>> > http://www.nero-online.org/norway.jpg
>>
>> It should also be noted that if norway.jpg were, for example, a
>> PHP script which sent the content type as text/html, then the
>> behavior would be the same in any browser that obeys the
>> content-type header, as opposed to file contents (which is pretty
>> much any browser other than Internet Explorer).
>>
>> So to recap...
>>
>> A.) The example on the page (Trojan.VBS.Iframe) is a denial of
>> service. It doesn't exploit vulnerabilities in Internet
>> Explorer.
>>
>
>
> It doesn't? The how come it won't do the same thing in other
> browsers, such as Mozilla? Because Mozilla sees it as malicious
> code (malformed, malicious, corrupt, whatever) and won't allow it
> to run.
Wrong. Mozilla won't run it because because the server sends a
content type saying that it's a JPEG, and Mozilla obeys the content
type. If you were to code a script which sends the content-type as
HTML, and simply use Javascript instead of VBScript, then it would
allow it to run. The script isn't malformed, malicious, or corrupt;
it's simply Javascript.
>> B.) Sending someone a link to a file named as JPEG but which is
>> really HTML will render the page as HTML in Internet Explorer,
>> but this in itself is not a security vulnerability. Rather, it's
>> simply misdirection.
>>
>
> So then, if an iframe exploit in html has been patched (and it
> has) and I send this to you and you open it in your fully patched
> IE browser and it runs (as it did), you're saying it won't run?
You seem confused...first off, the "iframe exploit" in that page
wasn't anything of the sort. It was simply a script which wrote a
number of iframes which opened a page recursively. Second of all,
all that was on that page was iframes and pop-ups. That's what run.
Big deal.
> Um, it just did :-) Unless of course, you're browsing the web
> unpatched.... which I doubt, but considering some of the brainiacs
> we have in this froup, it wouldn't surprise me.
True...you never know.
>> C.) By sending a Content-Type: text/html, most browsers will
>> render what appears to be a JPG by URL as HTML, the same way that
>> Internet Explorer does. Going by the content-type header, as
>> opposed to file extension or file contents, is the correct way to
>> determine how to handle a file.
>>
>
>
> So then, a file with a .jpg extension can be mishandled by IE,
> causing *something* to happen that shouldn't.... therefore, .jpg's
> should not be considered safe.
In any browser, not just IE.
> Thanks for confirming what I said to begin with.
No, that's not what you said. Your entire behavior was that
Internet Explorer rendering what's named as an JPEG as something
else was some security vulnerability. It's not.
> As I said previously, in another thread, a TRUE jpeg is safe.
> .jpg's overall SHOULD NOT be considered safe in IE because IE (and
> Microsoft for that matter) is a borked product.
Like I said in point C above, it's NOT just IE that can be tricked
(not really tricked, but by following standard HTTP protocols) into
rendering JPEGs as HTML.
> In fact, I would go so far as to say, The combo of IE & OE should
> be considered the single greatest cause of infection on the
> Internet,
I would agree with you on that.
> followed by a close second with IIS.
I would disagree with you on that.
Ok...now just to make sure I'm clear, because I'm a bit slow in my
not-so-old age...
You're not claiming that the rendering of a file with a JPEG extension
as HTML is a security vulnerability. You're simply claiming that it's
a means of tricking a user to going to a site that they normally
wouldn't go to. Correct? If so, then we're in agreement (except for
the fact that you seem to think this vulnerability is limited to IE).
- Next message: dkg_ctc: "Re: just wondering"
- Previous message: dkg_ctc: "Re: for those that think jpgs are "safe""
- In reply to: Colonel Flagg: "Re: for those that think jpgs are "safe""
- Next in thread: Colonel Flagg: "Re: for those that think jpgs are "safe""
- Reply: Colonel Flagg: "Re: for those that think jpgs are "safe""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
