[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3112699915.20040203204753@myrealbox.com>
Date: Tue, 3 Feb 2004 20:47:53 -0800
From: Sam Schinke <sschinke@...ealbox.com>
To: "Thor Larholm" <thor@...x.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: MS to stop allowing passwords in URLs
Hello Thor,
Tuesday, February 3, 2004, 9:02:11 AM, you wrote:
TL> This has already been implemented in the out-of-schedule IE patch they
TL> released yesterday, MS04-040. This is also the first time they broke their
TL> promised monthly patch schedule, so far they have released patches in the
TL> second week of the month.
TL> http://www.microsoft.com/technet/security/bulletin/MS04-004.asp
There was a case of an "escaped" fix last month, wasn't there?
TL> However, if you hover your mouse over such a link you will see the status
TL> bar of the browser still displays the incorrect link. It seems like the
TL> incorrect parsing code is still there, but the current attack vector is
TL> gone - time to look for other pathways.
So this really IS a case of gutting a "feature" to spite a bug,
without actually fully fixing the bug. Or did I misunderstand you?
Were you referring to the %00 FQDN spoofing vulnerability or just the
display of the username:password in the URL bar?
I'll go answer those questions myself. *g*
Ok, I've confirmed that one (status bar showing spoofed domain with
%00) at secunia's test page. Of course, there are many other ways to
manipulate the status bar on a mouseover, but this flaw still applies
to some small extent.
http://www.secunia.com/internet_explorer_address_bar_spoofing_test/
The spoofing flaw does appear to be entirely gone in the URL bar,
though.
In one way or another, at any rate.
URL's spoofed with %00 in them issue an "invalid syntax" error
regardless of the state of the new registry keys mentioned in the KB.
This is done without modifying what is shown in the URL bar.
Everything is shown, including the spoofed string and the real domain.
Maybe people could be fooled into dialing a telephone number or
sending in the information by email "if this website is down due to
high demand". This isn't MS's problem IMO, though.
If the registry keys are set and no unusual characters are present,
the page loads as expected, however the username:password string is
removed from the URL bar (I havn't tested whether a basic
authentication login will still occur).
So, the bug does seem to be fixed except on the status bar when
mousing over a link that is trying to spoof a destination.
--
Best regards,
Sam mailto:sschinke@...ealbox.com
Powered by blists - more mailing lists