Re: TXT or HTML? -- IE NEW BUG

From: Tom Laermans (tom.laermansat_private)
Date: Sun Jul 29 2001 - 04:20:53 PDT

Next message: Magnus Bodin: "Re: TXT or HTML? -- IE NEW BUG"

Previous message: Tom Laermans: "RE: bug w2k"
In reply to: Fred Oliveira: "Re: TXT or HTML? -- IE NEW BUG"
Next in thread: arivanovat_private: "RE: TXT or HTML? -- IE NEW BUG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

At 12:42 28/07/2001, you wrote:
>It is my belief that microsoft is aware of this. After all, they know they
>have html parsers on their programs, because thats one of the functions of
>those (go imagine IE not parsing html targets on files it reads stand-alone.
>it wouldn't be a browser at all). Thus, this is no bug at all. Probably the
>code parsing shouldn't be done in files other than .html, .htm, but if it is
>not to be considered as a bug.

Actually, it is a very large bug. Windows uses some sort of content-type in 
it's registry for all file extensions (check it out) ... Damn there are no 
content-type thingies in 2K .. there WERE in 98 .. I'm sure of it. It 
should only interpret for the HTML content type (text/html iirc) ... NOT 
for any other. So don't filter on .html, .htm, but only on the content 
type. (why else is the Content-Type: header present??)

>I consider these not sollutions to what you point out as a problem, but

They are...

>general tips to avoid security problems. Antiviral software wont prevent
>html parsers from doing their job. Also, changing name of system utilities
>wont do anything at all. About your 4th solution. I don't believe antiviral
>software detects any kind of html or activex as being potentially harmful.

Actually it does. If I surf to a site, defaced with the IIS/sadmind worm, 
like www.nntp.be (their webmaster was mailed long time ago that their site 
was defaced, but... *sigh* ohwell now I can use this as an example), McAfee 
VShield pops up saying "Infected filename: <blablabla\temporary internet 
files\blablabla> infected with SunOS/BoxPoison.worm ....... So I does 
warn... twice, even.

>And finally, i don't believe any patch will come out to prevent html
>parsing.

Ofcourse not. Then there would be no browsers anymore. But there HAS to 
come a patch to prevent html parsing on non-html files.

Tom

-------------------------------------------------
Web: http://www.powersource.cx --- ICQ#: 12120754
Also check this out:  http://kickme.to/sidewinder
Need some cheats?? http://www.chaos-cheatbase.com
Keep Fido&BBS Alive!     http://skynetbbs.dyns.cx
-------------------------------------------------

Next message: Magnus Bodin: "Re: TXT or HTML? -- IE NEW BUG"
Previous message: Tom Laermans: "RE: bug w2k"
In reply to: Fred Oliveira: "Re: TXT or HTML? -- IE NEW BUG"
Next in thread: arivanovat_private: "RE: TXT or HTML? -- IE NEW BUG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jul 29 2001 - 10:29:30 PDT