Re: MS to stop allowing passwords in URLs

To: "Thor Larholm" <thor@xxxxxxxx>
Subject: Re: MS to stop allowing passwords in URLs
From: Sam Schinke <sschinke@xxxxxxxxxxxxx>
Date: Tue, 3 Feb 2004 20:47:53 -0800
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <b76a01c3ea77$77f2e240$6401a8c0@0xff>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <b76a01c3ea77$77f2e240$6401a8c0@0xff>
Reply-to: Sam Schinke <sschinke@xxxxxxxxxxxxx>

Hello Thor,

Tuesday, February 3, 2004, 9:02:11 AM, you wrote:

TL> This has already been implemented in the out-of-schedule IE patch they
TL> released yesterday, MS04-040. This is also the first time they broke their
TL> promised monthly patch schedule, so far they have released patches in the
TL> second week of the month.

TL> http://www.microsoft.com/technet/security/bulletin/MS04-004.asp

There was a case of an "escaped" fix last month, wasn't there?

TL> However, if you hover your mouse over such a link you will see the status
TL> bar of the browser still displays the incorrect link. It seems like the
TL> incorrect parsing code is still there, but the current attack vector is
TL> gone - time to look for other pathways.

So  this  really  IS  a  case  of  gutting a "feature" to spite a bug,
without  actually  fully  fixing  the bug. Or did I misunderstand you?
Were  you referring to the %00 FQDN spoofing vulnerability or just the
display of the username:password in the URL bar?

I'll go answer those questions myself. *g*

Ok,  I've  confirmed  that one (status bar showing spoofed domain with
%00)  at  secunia's test page. Of course, there are many other ways to
manipulate  the status bar on a mouseover, but this flaw still applies
to some small extent.

http://www.secunia.com/internet_explorer_address_bar_spoofing_test/

The  spoofing  flaw  does  appear  to be entirely gone in the URL bar,
though.

In one way or another, at any rate.

URL's  spoofed  with  %00  in  them  issue  an  "invalid syntax" error
regardless  of the state of the new registry keys mentioned in the KB.
This  is  done  without  modifying  what  is  shown  in  the  URL bar.
Everything is shown, including the spoofed string and the real domain.
Maybe  people  could  be  fooled  into  dialing  a telephone number or
sending  in  the  information by email "if this website is down due to
high demand". This isn't MS's problem IMO, though.

If  the  registry  keys are set and no unusual characters are present,
the  page  loads  as expected, however the username:password string is
removed   from   the   URL  bar  (I  havn't  tested  whether  a  basic
authentication login will still occur).

So,  the  bug  does  seem  to  be  fixed except on the status bar when
mousing over a link that is trying to spoof a destination.

-- 
Best regards,
 Sam                            mailto:sschinke@xxxxxxxxxxxxx

References:
- RE: MS to stop allowing passwords in URLs
  - From: Thor Larholm

Prev by Date: Multiple File Format Vulnerabilities (Overruns) in REALOne & RealPlayer
Next by Date: Re: Two checkpoint fw-1/vpn-1 vulns
Previous by thread: RE: MS to stop allowing passwords in URLs
Next by thread: RE: MS to stop allowing passwords in URLs
Index(es):
- Date
- Thread