lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <43047F33.3010807@moritz-naumann.com>
Date: Thu, 18 Aug 2005 14:29:39 +0200
From: Moritz Naumann <info@...itz-naumann.com>
To: tuytumadre@....net
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com
Subject: Re: Internet Explorer 6 Meta Refresh
	Parsing	Weakness


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

and thanks for your opinion.

tuytumadre@....net schrieb:
> Why should Microsoft be accountable for the mistakes of webmasters? 

It is not. But in my opinion, the producer of the most used web browser
worldwide - independant of its name, organization type or history -
should consider to improve the parsing of its web browser so that it
behaves in a way that conforms with standards, or, if there are none
defined (and that's the case here), the way people expect it. And you
cannot neccessarily say that if you have two 'URL=' statements, the
average web developer would expect it to interpret the second one instead of
- - interpreting the whole string and attempt to browse to the URL or
return a syntax error
- - interpreting only the first 'URL=' statement

> Have you even tested any of ther other browsers? 

I tested it on Internet Explorer 6 SP1 on Win 98 SE, IE 6 SP2 on XP SP2,
Firefox 1.0.6, Deerpark Alpha 2, Opera 8.02.1272 and Konqueror 3.3.2
(all of them on on Debian GNU/Linux 3.1).

All the browsers I tested - except IE - interpreted the full string and
returned either a syntax error or tried to load the content stored at
the URI contained in the string.

Unluckily I forgot to include the URL of the test I set up. You can test
your preferred browser at
http://moritz-naumann.com/adv/0001/ie6meta/poc/index.html

> Even if you have, a webmaster should indeed be responsible for
> blindly redirecting a user to a url supplied in input. This isn't an
> Internet Explorer mistake - it is a webmaster mistake, and quite a
> silly one at that.

I totally agree with you.

However, in my example, it was not done totally blindly, some (though
much too little) filtering of user input was done. And several web
applications I know handle it this way. It is a common technique to get
rid of Referer HTTP headers which may contain session IDs when
forwarding users to an external site. I am not saying this is neccessary
nor a good way to do it, I just say it is done this way in several web
applications.

I think this is a minor issue, and I think that Microsoft is only
partially responsible to fix this behaviour, nevertheless, they are. And
I wanted to get the word out on this to warn web application developers
about this unexpected and - in combination with badly coded web
applications - possibly harmful behaviour. So I did.

> Btw, if this message appears in your mailboxes twice, it's because I
> sent it twice (the first time I received a DNS failure message).

No problem. Better two than none. :)

Regards,
Moritz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDBH8yn6GkvSd/BgwRAg3cAJ48BwsniHYs8RYMVB4dEUPLt0IVFACcDLwq
RICOUdZIIbKTrL6Z4tQMOs4=
=7dmX
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ