IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / Re: Don't use your "Back" button!
Post #35,987
by jbrabeck
4/19/02 10:12:24 AM
Reply
New Re: Don't use your "Back" button!
From the "Security Wire Digest"

*IE "BACK BUTTON" POSES RISK
By Shawna McAlearney
"Using the back button in IE (Internet Explorer) is dangerous" because it could allow an attacker to execute code and read local files, wrote a security researcher in an advisory released to Bugtraq this week.

Testing IE 6.0 running on Windows 2000 and XP, Andreas Sandblad determined that IE places URLs containing the Java Script protocol in the history list, allowing code injected in the URL to operate in the same zone/domain as the last URL visited.

"The normal behavior when a page fails to load is to press the back button," says Sandblad. "The error page shown by IE is operating in the local computer zone. Thus, we can execute code and read local files."

Though only ranked as a moderate threat because it requires user interaction, the problem poses several security and privacy risks.

"This security issue is a major threat on privacy for anyone using Internet Explorer," says Sandblad, a student in engineering physics at the University of Umea in Sweden. "Basically, it allows Webmasters to retrieve a lot of sensitive information like cookies and local files from visitors and also enables programs to execute. Without your knowledge, you could end up sending away passwords to your Internet bank account or your secret love letter."

Sandblad says he notified Microsoft of the problem last November, but a patch hasn't been released.

"We...determined that because the proposed exploit scenario is dependent upon specific user interaction as a prerequisite, it does not meet our definition of a security vulnerability," says a Microsoft spokesperson. "This scenario does not constitute a viable threat to users following standard best practices. That said, we remain vigilant in our commitment to keeping users' information safe and will be addressing this issue in an upcoming release."

The recommended workaround is to disable active scripting or not using the back button.

(Emphasis added is mine. Too bad we can't add the sws flag!)

[link|http://online.securityfocus.com/archive/1/267561|BugTraq Link]

[link|mailto:jbrabeck@mn.mediaone.net|Joe]
Post #36,094
by static
Picture of static
4/22/02 7:19:05 AM
Reply
New No, you are mistaken.
    The recommended workaround is to disable active scripting or not using the back button.


The correct workaround is to use a broswer other than IE.

Wade.

"All around me are nothing but fakes
Come with me on the biggest fake of all!"
Post #36,095
by pwhysall
Picture of pwhysall
4/22/02 7:42:13 AM
Reply
New Indeed!
apt-get install mozilla, and don't spare the horses.

Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
Post #36,157
by orion
Picture of orion
4/22/02 6:27:51 PM
Reply
New Wheeeeeeeeee!
Get Mozilla and hope to high waters that the web sites are not using ActiveX or VBScript.

Rumor has it there is still an ActiveX/VBScript Plug-in for Netscape/Mozilla, but I cannot find it. NetCompass used to have one, but for some reason they quit making it?
I am free now, to choose my own destiny.
Post #36,176
by Ashton
4/22/02 11:04:11 PM
Reply
New Is that to miss the Point?
Why on Earth - would one surf a site with both (or either) those shit-magnets turned ON? To see the dancing otters? Get up-close to the latest truss ad?

And why would one look for a Mozilla-variant -- suppose that would build a sand-box around *all* the possible crap? Maybe I just don't understand the lurid details but.. is there anyone running Windoze for more than a few weeks, who isn't vaguely aware that it is an insecure POS, utterly unable to cope without lots of add-on protection? Acti-Vex ON ???

You want to turn-ON the biggest crap-magnets of all.. And yer a Pro?





Ashton
Just not clever enough to smear blood all over body and then go diving in shark-infested waters..
Post #36,180
by a6l6e6x
Picture of a6l6e6x
4/22/02 11:17:35 PM
Reply
New 2nd miss - "apt-get install mozilla" doen't work w/Windows.
Alex
"Never express yourself more clearly than you think." -- Neils Bohr (1885-1962)
Post #36,690
by orion
Picture of orion
4/28/02 12:50:26 AM
Reply
New You've missed the point
First they have to reformat the drive and install Linux, and then apply the Mozilla browser. :)
I am free now, to choose my own destiny.
Post #36,689
by orion
Picture of orion
4/28/02 12:47:10 AM
Reply
New Don't start on the Otters!
I had enough of dancing screen otters from my former employer the lawfirm, remember?

But I was thinking of creating my own otters, for the use of good instead of evil. Whenever I created a program that did something useful and was innovative, I called it an Otter as a joke. But the management kept changing the requirements just before I got it done, and I had to start all over again. If I reinvent the wheel, and do it without managers screwing me up, I think I can hammer out some decent software packages, if only I could get some time to myself and away from my family for a while. Problem is the job search, the family, and trying to clean up my "war room" and the rest of the house keeps me too darn busy to do much. But I do have ideas, oh yes, I do have ideas.

OTTER = Online Totoally Terrific Electronic Resource

They rejected my idea to name a project that, but the fools! The fools! They couldn't see the brilliance of my work, ahahahahah!

Now what were we talking about?
I am free now, to choose my own destiny.
Post #36,694
by pwhysall
Picture of pwhysall
4/28/02 5:38:00 AM
Reply
New What sites are those then?

Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
Post #36,719
by orion
Picture of orion
4/28/02 2:28:32 PM
Reply
New Mostly Intranet sites that I created
for Dewey Cheatham & Howe (Not their real name) that used VBScript and ActiveX controls. They have clients that use Unix and Netscape that want to connect to their network. When I suggested Javascript and Java, they laughed me out of the meeting. But who is laughing now that they try to do their overdue Windows 2000 migration while XP is out? It was this time last year that they started their Windows 2000 migration and according to my ex-coworkers they still haven't completed it yet. The Applications are done, but not the workstations.

Plus Microsoft's web sites, like the MSDN Subscription downloads.
I am free now, to choose my own destiny.
     Don't use your "Back" button! - (lincoln) - (11) - April 19, 2002, 09:44:14 AM EDT
         Re: Don't use your "Back" button! - (jbrabeck) - (9) - April 19, 2002, 10:12:24 AM EDT
             No, you are mistaken. - (static) - (8) - April 22, 2002, 07:19:05 AM EDT
                 Indeed! - (pwhysall) - (7) - April 22, 2002, 07:42:13 AM EDT
                     Wheeeeeeeeee! - (orion) - (6) - April 22, 2002, 06:27:51 PM EDT
                         Is that to miss the Point? - (Ashton) - (3) - April 22, 2002, 11:04:11 PM EDT
                             2nd miss - "apt-get install mozilla" doen't work w/Windows. -NT - (a6l6e6x) - (1) - April 22, 2002, 11:17:35 PM EDT
                                 You've missed the point - (orion) - April 28, 2002, 12:50:26 AM EDT
                             Don't start on the Otters! - (orion) - April 28, 2002, 12:47:10 AM EDT
                         What sites are those then? -NT - (pwhysall) - (1) - April 28, 2002, 05:38:00 AM EDT
                             Mostly Intranet sites that I created - (orion) - April 28, 2002, 02:28:32 PM EDT
         Don't worry - (kmself) - April 29, 2002, 04:00:45 PM EDT

One shall be the number of Mojo Jojos in the world, and the number of Mojo Jojos in the world shall be one. Two Mojo Jojos is too many, and three is right out!
51 ms