Re: Thumbnail security problem?
From: Hector Santos (nospam_at_nospam.com)
Date: 11/16/03
- Next message: anonymous: "RE...IE hijacked - My Experience (ignore this if you already read)"
- Previous message: Duke Torbert: "Critical Update 823559"
- In reply to: Robert Moir: "Re: Thumbnail security problem?"
- Next in thread: Robert Moir: "Re: Thumbnail security problem?"
- Reply: Robert Moir: "Re: Thumbnail security problem?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 16 Nov 2003 14:59:33 -0500
A follow-up:
Here is what I did:
1) Use START | SHUTDOWN | LOG OFF I restarted with a new Windows login on
the local machine. I am not 100% sure if this is 100% restart of explorer,
but I think it is.
2) I popped up explorer to where my *.URL files are at and it showed the
page again, however this time there was not GET request to my web server.
That means the authenticated came from "some" cache.
3) I closed explorer.
3) I popped up IE and TOOLS | Internet Options | Delete Files with [X]
delete all offline files.
4) I popped up explorer again and THIS TIME, there was no page. The window
was blank.
5) I double clicked the URL and it asked me to login. I logged in and
closed the browser.
6) I restarted IE and deleted the cache/offline files again, then closed the
browser.
7) With explorer still up, I moved the cursor up and back down to the URL
and behold, the page was shown.
I did this 3-4 times with the same result.
It means that Explorer will use the CACHE first, but then go to "somewhere"
else to credentials that are PERSISTENT for the currently Windows Station
NTLM logged in user.
It seems that by logging off the Windows station, and CLEARING the IE cache,
it was the only way to work around this flaw.
Rob, I would like to see an IIS HTTP log if possible for an basic
authentication process so I can compare the HTTP web server response
headers. Do you have one?
--- "Robert Moir" <bofh@mvps.org> wrote in message news:eOCf74GrDHA.920@TK2MSFTNGP10.phx.gbl... > Hector Santos wrote: > > I don't think you can't close down Explorer, which is by the way, what > > controls your desktop, without restarting. > > You can if you are running Windows NT4, 2000, XP, or 2003 fairly trivially. > You can call up task manager, open the process list, and close all instances > of explorer.exe. > > Then once thats done, go to file / new task, type 'explorer' without the > quotes into the box provided, hit enter, and you are back running again. You > may lose all your "tray icons" doing this so its not something i'd suggest > doing for fun, but as IE and Explorer share some of the same processes I'm > suggested that someone who can replicate the problem (I still can't!) try > this to see if it makes a difference. > > As you've now rebooted between the start and end of replicating the problem, > you've confirmed what I was hoping to find out anyway, as you say its > permanent somewhere rather than temporary. > > As I said, I don't doubt theres a problem, I am happy to accept that I'm the > exception rather than the rule in being unable to see it, but that makes > trying to help nail it down rather difficult. > > -- > -- > Rob Moir > Microsoft MVP for servers & security > http://www.robertmoir.co.uk > "802.11bofh - the *other* power over ethernet standard" > >
- Next message: anonymous: "RE...IE hijacked - My Experience (ignore this if you already read)"
- Previous message: Duke Torbert: "Critical Update 823559"
- In reply to: Robert Moir: "Re: Thumbnail security problem?"
- Next in thread: Robert Moir: "Re: Thumbnail security problem?"
- Reply: Robert Moir: "Re: Thumbnail security problem?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
