how can you get rid of Commonname? Cheers -----Original Message----- From: Eric Stevens [mailto:mightyeat_private] Sent: Thu, October 03, 2002 3:10 PM To: Bugtraq; supportat_private Subject: CommonName Toolbar potentially exposes LAN web addresses Due to a bug in the URL validation done in CommonName Toolbar (in at least dll version 3.5.2.0 on IE 6), addresses from local intranets may be exposed to the CommonName organization. It would appear on early evaluation that valid URLs such as http://someserver/some/path are deemed an attempt to locate an organization named "someserver," with reference to "some path." The key seems to be the lack of a dot in the server name. The danger of this is relatively low, only CommonName is exposed to this information, and other search engines as configured by the user on the CommonName website, and even then only after a clickthrough on the CommonName website. All are reputable organizations, though it does still represent a breach in data security. Though danger is low, annoyance factor is high, users are prevented from accessing their Intranet unless they use a dot-included version of the server name. More annoying to me than the bug, and the fact that users here who had it installed were prevented from actually being able to access our Intranet servers, however, is that when I turned off all CommonName options, users were still being directed to the CommonName website on Intranet requests. Further, in an attempt to allow these users access to our Intranet again, I closed out of all browsers and uninstalled the CommonName toolbar, restarted the system, and found that they were still being directed to the CommonName website on Intranet requests; my best efforts to disable the CommonName toolbar by supplied mechanisms were futile. The working solution was to remove all non-administrative access to the Program Files\CommonName directory, preventing users' IE sessions from being able to read the DLL's, and finally disabling the CommonNames auto-search functionality. As an asside, that caused me to stumble on an idea to proactively protect yourself from spyware; intentionally install it, or else find out what paths are used to install it, then deny yourself access to those paths, and even the sneakiest spyware will be unable to install itself on your system, unless it chooses random locations and file names. Further testing with CommonNames toolbar is left as an exercise to those with out a database due tomorrow (read: the user). -MightyE
This archive was generated by hypermail 2b30 : Thu Oct 03 2002 - 13:10:50 PDT