Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


                                            `Date: Fri, 16 Apr 1999 22:11:22 -0700  
>From: "Robert David Graham" <rob@netice.com>  
Subject: favicon.ico  
In case you haven't heard, Microsoft has a new feature in IE 5.0 web  
browser. When you add a website to you "Favorites" (aka. Bookmarks for you  
Netscape users), the browser attempts to download a graphic called  
"favicon.ico", then show that icon along with the title of the webpage.  
This has two risks.  
First of all, the website owner is notified when you the page to your  
favorites, revealing information about yourself. A discussion of this can be  
found at http://msdn.microsoft.com/workshop/essentials/versions/ICPIE5.asp  
This privacy risk is probably minor, but I've seen several press articles on  
the subject.  
The second RISK is much more severe. Go to AltaVista (or any search engine)  
and search for "favicon.ico". You now have a list of 500 websites that  
expose their access logs. In the logs, you can find several websites that  
expose the URLs of CGI scripts, including passwords. Through manual  
searching, I found 2 sites that exposed logon information; I'm sure I can  
write a program that would scan those logs to look for CGI programs and get  
even more. This also exposes even more privacy information because these  
logs often contain the Referer field as well.  
This isn't unique to "favicon.ico". The RISK is really:  
* people are unintentionally exposing access logs on their web sites,  
exposing user information and possible passwords.  
* hackers can easily find vulnerable systems not by scanning the site itself  
(which can be detected by intrusion detection systems), but by searching a  
3rd party like AltaVista.  
Robert Graham  
CTO, Network ICE