Aloha. Below is an exact copy of the information found on the web site Mr. Veloso provided us with: "The request for the favicon.ico file is first done on the same path of the current URL. If the file is not found, MSIE 5 will backup one directory in the directory hierarchy and try again. It will do this until it finds the file or reaches the web server root (e.g. if you try to bookmark this page, MSIE 5 will look for favicon.ico in http://web.cip.com.br/flaviovs/sec/favicon/, http://web.cip.com.br/flaviovs/sec/, http://web.cip.com.br/flaviovs/ and http://web.cip.com.br/)." My experience is based on the following platform information: Windows 98 with all available updates (3717 MSIE 5: 5.00.2014.0216IC 128-bit Contrary to the information given at the cited URL, my best attempts at recreating this alleged phenomenon have been futile. In addition, I am fairly confident, based on every log analysis I have performed, that this is wrong. This is most obvious by creating a large hierarchy of directories like the following URL (note: there is nothing at this URL but an empty dir): http://www.plasmic.com/~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/ I supposed that if what Flavio asserted was true, then IE5 would bombard the server with a plethora of requests for 'favicon.ico' when I added it to my 'Favorites'. Here is a sample of what was generated in my apache log file: I open up the apache-generated directory listing web page: "GET /~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/ HTTP/1.1" 200 733 After bookmarking the site, IE tries to find favicon.ico in the _current_ directory: "GET /~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/favicon.ico HTTP/1.1" 404 8999 Directly thereafter (probably virtually simultaneous connections), IE5 attempts to retrieve favicon.ico from the _root_ directory of my web server: "GET /favicon.ico HTTP/1.1" 404 330 There are no requests in between the ones shown above. Implications: - This vulnerability may only be exploited by the owner of the current directory or the owner of the document root. This does not diminish its core significance, but is definitely a fundamental point in the understanding of this bug. - Adding 'Favorites' does not generate as much traffic or as many requests as originally thought. Regards, Jason Sloderbeck +===========================-------------------- - - - - - - | University of Missouri/Kansas City - Computer Science/Telecom | hom: 816/452.8937 e: jsloderat_private url: www.umkc.edu | Plasmic Computer Systems - Chief Information Officer | off: 816/292.2870 e: jasonat_private url: www.plasmic.com | Midwest Internet Services - Sr. Systems Administrator | cel: 816/820.9279 e: sloderbeckat_private url: www.mwis.net +===========================-------------------- - - - - - - ----- Original Message ----- From: Flavio Veloso <flaviovsat_private> To: <BUGTRAQat_private> Sent: Monday, May 03, 1999 2:06 PM Subject: MSIE 5 favicon bug > Hi folks. > > When MSIE 5 users bookmark a page, the browser will request a file > named "favicon.ico" which is to be used in the "Favorites" menu of the > browser. Unfortunately MSIE 5 doesn't check the file integrity and > crash if faced with a bad-formed icon file. > > Upon crashing the stack gets filled with information from the icon > file itself, so it may be possible to run code on the client machine, > tough I didn't test it. > > Microsoft was notified twice about this issue via the "Report a Bug" > form on their web site. The first time about one month ago, the second > time about two weeks ago. I didn't receive back any reply. > > More information about this bug (plus another privacy issue about the > "favicon.ico" file) is available at > http://web.cip.com.br/flaviovs/sec/favicon/index.html. > > -- > Flavio >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:45:26 PDT