|
 |
aspx thread: IE5.5 and VS.net Beta 1 hole?
Message #1 by "Sarte, Amiel" <Amiel.Sarte@e...> on Wed, 25 Jul 2001 16:47:18 +0100
|
|
Hello guys,
I thought my browser is safe. I installed the ms fix but
the site that exposed my vulnerability still reports problem
with my browser. They can see my harddisk and heaven knows
what else.
I suspect VS.net Beta 1 is responsible for this hole. I have
problems viewing some sites after intalling vs.net months ago
I thought they're just incompatibility problems so I just
ignore them until I discovered the error yesterday.
Did anyone experience this and please advise how to fix it.
Regards,
Mel
ps.
this is the link. Can you try your browser too?
http://www.angelfire.com/wy2/proxyblind/index2.html
Message #2 by "Samuel Engelman" <samuel_engelman@p...> on Wed, 25 Jul 2001 12:12:39 -0400
|
|
I don't think they can actually see what's on your hard drive. It just
shows in
your browser.
|--------+--------------------------------->
| | "Sarte, Amiel" |
| | <Amiel.Sarte@e...> |
| | |
| | |
| | Wednesday July 25, 2001 11:47 |
| | AM |
| | Please respond to "ASP+" |
| | |
|--------+--------------------------------->
>--------------------------------------------------------------------
--------|
|
|
| To: "ASP+" <aspx@p...
> |
| cc:
|
| Subject: [aspx] IE5.5 and VS.net Beta 1 hole?
|
>--------------------------------------------------------------------
--------|
Hello guys,
I thought my browser is safe. I installed the ms fix but
the site that exposed my vulnerability still reports problem
with my browser. They can see my harddisk and heaven knows
what else.
I suspect VS.net Beta 1 is responsible for this hole. I have
problems viewing some sites after intalling vs.net months ago
I thought they're just incompatibility problems so I just
ignore them until I discovered the error yesterday.
Did anyone experience this and please advise how to fix it.
Regards,
Mel
ps.
this is the link. Can you try your browser too?
http://www.angelfire.com/wy2/proxyblind/index2.html
---
Message #3 by Wim Hollebrandse <Wim.Hollebrandse@c...> on Wed, 25 Jul 2001 17:05:38 +0100
|
|
This is NOT a security hole.
If you had looked in the HTML code you can see they simple created an
HREF
link to file:///c|/ in an IFRAME, indeed, a local file URL which will
open
an explorer window with your C harddrive contents.
The server itself doesn't know a thing about your hdd contents.
-----Original Message-----
From: Sarte, Amiel [mailto:Amiel.Sarte@e...]
Sent: 25 July 2001 16:47
To: ASP+
Subject: [aspx] IE5.5 and VS.net Beta 1 hole?
Hello guys,
I thought my browser is safe. I installed the ms fix but
the site that exposed my vulnerability still reports problem
with my browser. They can see my harddisk and heaven knows
what else.
I suspect VS.net Beta 1 is responsible for this hole. I have
problems viewing some sites after intalling vs.net months ago
I thought they're just incompatibility problems so I just
ignore them until I discovered the error yesterday.
Did anyone experience this and please advise how to fix it.
Regards,
Mel
ps.
this is the link. Can you try your browser too?
http://www.angelfire.com/wy2/proxyblind/index2.html
Message #4 by "Sarte, Amiel" <Amiel.Sarte@e...> on Wed, 25 Jul 2001 17:24:29 +0100
|
|
Hi Samuel,
I hope, but I doubt it. That's the reason why I call it a hole.
When you surf a "trusted" site, someone can write an application
that will be called in the background of the webserver to
"see through" the client. We know the story...
For other developers here using 5.5 without VS do not get the same
result.
On that same site, it has a "crash browser" test. I tried it too
(out of curiosity) and it did crash my system. Using my Netscape 4.7
though, is fine. But who wants to use it? :)
Can somebody verify?
Mel
-----Original Message-----
From: Samuel Engelman [mailto:samuel_engelman@p...]
Sent: 25 July 2001 18:13
To: ASP+
Subject: [aspx] Re: IE5.5 and VS.net Beta 1 hole?
I don't think they can actually see what's on your hard drive. It just shows
in
your browser.
|--------+--------------------------------->
| | "Sarte, Amiel" |
| | <Amiel.Sarte@e...> |
| | |
| | |
| | Wednesday July 25, 2001 11:47 |
| | AM |
| | Please respond to "ASP+" |
| | |
|--------+--------------------------------->
>---------------------------------------------------------------------------
-|
|
|
| To: "ASP+" <aspx@p...>
|
| cc:
|
| Subject: [aspx] IE5.5 and VS.net Beta 1 hole?
|
>---------------------------------------------------------------------------
-|
Hello guys,
I thought my browser is safe. I installed the ms fix but
the site that exposed my vulnerability still reports problem
with my browser. They can see my harddisk and heaven knows
what else.
I suspect VS.net Beta 1 is responsible for this hole. I have
problems viewing some sites after intalling vs.net months ago
I thought they're just incompatibility problems so I just
ignore them until I discovered the error yesterday.
Did anyone experience this and please advise how to fix it.
Regards,
Mel
ps.
this is the link. Can you try your browser too?
http://www.angelfire.com/wy2/proxyblind/index2.html
Message #5 by "Li, Fang" <fang@c...> on Wed, 25 Jul 2001 14:22:01 -0400
|
|
I test several machines with Office XP (without installing VS.NET)
I can see the local C: Driver too.
Fang
-----Original Message-----
From: Sarte, Amiel [mailto:Amiel.Sarte@e...]
Sent: Wednesday, July 25, 2001 12:24 PM
To: ASP+
Subject: [aspx] Re: IE5.5 and VS.net Beta 1 hole?
Hi Samuel,
I hope, but I doubt it. That's the reason why I call it a hole.
When you surf a "trusted" site, someone can write an application
that will be called in the background of the webserver to
"see through" the client. We know the story...
For other developers here using 5.5 without VS do not get the same
result.
On that same site, it has a "crash browser" test. I tried it too
(out of curiosity) and it did crash my system. Using my Netscape 4.7
though, is fine. But who wants to use it? :)
Can somebody verify?
Mel
-----Original Message-----
From: Samuel Engelman [mailto:samuel_engelman@p...]
Sent: 25 July 2001 18:13
To: ASP+
Subject: [aspx] Re: IE5.5 and VS.net Beta 1 hole?
I don't think they can actually see what's on your hard drive. It just shows
in
your browser.
Message #6 by Wim Hollebrandse <Wim.Hollebrandse@c...> on Wed, 25 Jul 2001 23:51:01 +0100
|
|
Like I said before, it is just a normal IFRAME link with the source
property
pointed to your local C hard drive. None of that is sent to the server.
The
link is defined in the browser, and it's being pulled from your own
hard
drive! The webserver serves you the page, and after loading the page,
your
browser starts loading frames (iframes) and images. When your browser
comes
accross a link starting with file:// for instance file:///c|/ , it will
just
notice that this is the local harddisk and show its contents via
Windows
Explorer (traffic going from browser to local drive and back). Remember
that
client side your browser does the interpreting of that file URL. The
webserver has nothing to do with that.
Can someone please back me up here!? Scott? ;)
-----Original Message-----
From: Sarte, Amiel [mailto:Amiel.Sarte@e...]
Sent: 25 July 2001 17:24
To: ASP+
Subject: [aspx] Re: IE5.5 and VS.net Beta 1 hole?
Hi Samuel,
I hope, but I doubt it. That's the reason why I call it a hole.
When you surf a "trusted" site, someone can write an application
that will be called in the background of the webserver to
"see through" the client. We know the story...
For other developers here using 5.5 without VS do not get the same
result.
On that same site, it has a "crash browser" test. I tried it too
(out of curiosity) and it did crash my system. Using my Netscape 4.7
though, is fine. But who wants to use it? :)
Can somebody verify?
Mel
-----Original Message-----
From: Samuel Engelman [mailto:samuel_engelman@p...]
Sent: 25 July 2001 18:13
To: ASP+
Subject: [aspx] Re: IE5.5 and VS.net Beta 1 hole?
I don't think they can actually see what's on your hard drive. It just
shows
in
your browser.
Message #7 by "George Saliba" <georges@c...> on Wed, 25 Jul 2001 17:04:25 -0700
|
|
Your analysis is correct. This is like embedding a pdf document, or an
excel document (or anything else) into the browser window. IE does it,
Netscape can't. Its all client side.
-George Saliba
-----Original Message-----
From: Wim Hollebrandse [mailto:Wim.Hollebrandse@c...]
Sent: Wednesday, July 25, 2001 3:51 PM
To: ASP+
Subject: [aspx] Re: IE5.5 and VS.net Beta 1 hole?
Like I said before, it is just a normal IFRAME link with the source
property
pointed to your local C hard drive. None of that is sent to the server.
The
link is defined in the browser, and it's being pulled from your own hard
drive! The webserver serves you the page, and after loading the page,
your
browser starts loading frames (iframes) and images. When your browser
comes
accross a link starting with file:// for instance file:///c|/ , it will
just
notice that this is the local harddisk and show its contents via Windows
Explorer (traffic going from browser to local drive and back). Remember
that
client side your browser does the interpreting of that file URL. The
webserver has nothing to do with that.
Can someone please back me up here!? Scott? ;)
-----Original Message-----
From: Sarte, Amiel [mailto:Amiel.Sarte@e...]
Sent: 25 July 2001 17:24
To: ASP+
Subject: [aspx] Re: IE5.5 and VS.net Beta 1 hole?
Hi Samuel,
I hope, but I doubt it. That's the reason why I call it a hole.
When you surf a "trusted" site, someone can write an application
that will be called in the background of the webserver to
"see through" the client. We know the story...
For other developers here using 5.5 without VS do not get the same
result.
On that same site, it has a "crash browser" test. I tried it too
(out of curiosity) and it did crash my system. Using my Netscape 4.7
though, is fine. But who wants to use it? :)
Can somebody verify?
Mel
-----Original Message-----
From: Samuel Engelman [mailto:samuel_engelman@p...]
Sent: 25 July 2001 18:13
To: ASP+
Subject: [aspx] Re: IE5.5 and VS.net Beta 1 hole?
I don't think they can actually see what's on your hard drive. It just
shows
in
your browser.
Message #8 by "Joe Fawcett" <joefawcett@h...> on Thu, 26 Jul 2001 11:33:21 +0100
|
|
I'll back you up, for what it's worth. To prove there's no security risk
re-create a similar page, set the iframe source to a text file you know
exists and try using script to access the actual contents. You'll get an
'Access denied' error or similar unless you have enabled 'Access data
sources across domains' in your security settings.
Joe
|
|
|
View Cart
