Hello , all. IE6 kicks Firefox's BUG : Local Information Disclosure. MIME types (commonly used on the web) determine what kind of content is being sent down and give the browser an idea of how to parse,render or otherwise deal with the content. "application/zip", for example, is what's sent by the web server when your browser accesses a ZIP file. Directory-specific directive files such as .htaccess (as used by Apache, for example) can be used to associate a particular MIME type with a given file extension.For example, AddType application/xhtml+xml .xhtml will configure Apache to send .xhtml files with application/xhtml+xml. Internet Explorer's support of XHTML is incomplete.IE does not recognize the xhtml MIME type - "application/xhtml+xml" which is required for true XHTML compliance. So instead of rendering the page, a file download prompt is presented to the user. See also. http://www.w3.org/TR/xhtml-media-types/ http://www.rfc-editor.org/rfc/rfc3236.txt http://www.w3.org/People/mimasa/test/xhtml/media-types/ http://www.w3.org/People/mimasa/test/xhtml/media-types/results Many people who wants to read XHTML files, install Firefox that supports XHTML files with MIME type - "application/xhtml+xml" . ========= STORY ========= A man gets a new PC. OS is Windows XP SP2. Of course, he does not forget WindowsUpdate. Now his machine is full-pached. He installs Firefox, and sets that Firefox is as his default browser. He wants to read XHTML files with "Content-Type: application/xhtml+xml". Next day,he opens his Firefox Options General , clears "Firefox should check to see if it is the default browser when starting" check box. And he runs InternetExplorer, he sets IE as his default browser again. Now he opens "My documents folder" window, choosing 'tools',then 'folder options', 'filetypes' tab. He selects the filetype ".xhtml" and check out it. He find that Firefox is still associated with the file type. Yes. InternetExplorer can not open XHTML files, he thinks. O.K. when he wants to read HTML files, IE opens the pages, and when he wants to read XHTML files, Firefox opens the resources, COOL TIPS! he thinks. ========= NOTE ========= === He is wrong. That is not COOL. === ========= STORY ========= An attacker makes "bar.xhtml" (application/xhtml+xml) and "foo.html" (text/html). Below are samples. === http://[malicious-site]/foo.html === The server gives Content-Type: text/html ======================================== link to bar.xhtml Click Me. ======================================== === http://[malicious-site]/bar.xhtml === The server gives Content-Type: application/xhtml+xml ========================================= IE - Firefox : Local Information Disclosure

IE - Firefox : Local Information Disclosure

boot.ini (Windows XP with Service Pack 2)

display local_file

%USERPROFILE% Folder , Internet Cache Folder Random PATH for IE

========================================= ========= NOTE ========= See also. [Bugzilla] https://bugzilla.mozilla.org/show_bug.cgi?id=273419 https://bugzilla.mozilla.org/show_bug.cgi?id=230606 [Full-Disclosure ML] Disclosure of local file content in Mozilla Firefox and Opera http://lists.grok.org.uk/pipermail/full-disclosure/2004-December/ 029833.html --- Giovanni Delvecchio 029846.html --- Juergen Schmidt 029856.html --- Thor Larholm (Thanks a lot.) ========= STORY ========= One day, he uses IE, and visits the attacker's site. As soon as he accesses the URL , http://[malicious-site]/foo.html , he sees the "File Download" dialog box pop up. =============================================== File Download - Security Warning Do you want to run or save this file? Name: bar.xhtml Type: Unknown (file type), 1.23 KB From: [malicious-site] button: [Run] [Save] [Cancel] check box: Always ask before opening this type of file Blue Shield Icon : While files from the Internet can be useful,this file type can potencially harm your computer. If you do not trust the source, do not run or save this software. What's the risk? ================================================ ========= NOTE ========= Be careful to Checkbox, And Blue Shield Icon. Not yellow Icon !! ========= STORY ========= He read this Dialog and think that ,,,,,,. - O.K. It is NOT yellow Icon. if the file is bad one, Icon is yellow - or red. Why blue Icon ? Because "bar.xhtml" is a XHTML file and - it is safe. Type is unknown? Because IE does not recognize - the xhtml MIME type. Good. - Hmmmmm. "Always ask before opening this type of file" ? - XHTML file is safe when Firefox opens it. I will clear the check - box. That is all. O.K. Now I will click the "Run" button. ========= NOTE ========= When you first choose to download a file in Internet Explorer, you receive a Confirm File Open dialog box."The Always ask before opening this type of file" check box in this dialog box is selected. If you clear the "Always ask before opening this type of file" check box, the registry entry for this setting is changed and you do not see the Confirm File Open dialog box in subsequent download sessions. Instead, Internet Explorer automatically opens files instead of downloading them. By the way, see also. http://www.microsoft.com/technet/security/smallbusiness/prodtech/ windowsxp/iesecxp.mspx [quoted] Heed any warnings. When a Web site attempts to download a file to your computer, Internet Explorer displays a message about saving, running, or installing the file. If the message contains a yellow caution icon, then the file has been identified as one that could pose a risk. [/quoted] Where is about blue Icon? Is it safe? ;-) In this story, 'HE' knows that yellow or red is dangerous icon. At last he clicks 'Run' button. ========= STORY ========= Firefox runs and display http://[malicious-site]/bar.xhtml Files of this XHTML type are automatically placed === in the Temporary Internet Files folder ==== and opened by the program that is associated with the file type. Then his local machine information is disclosed via javascript. boot.ini %USERPROFILE% Internet Cache Folder Random PATH for IE and so on E.T.C. He is very surprised. His name is bitlance winter.... ;-< ========= NOTE ========= This is a bad behavior of InternetExplorer. "Files of the type are automatically placed === in the Temporary Internet Files folder ==== and opened by the program that is associated with the file type." This is a bad behavior of InternetExplorer ,too. If he does not clear the checkbox "Allways..." when he clicks "Run" button, files of the type are placed === in the Temporary Internet Files folder ==== and opened by the program that is associated with the file type. Firefox ? uhhhmmmmmm . Opera is FIXED, perhaps. Tested on WindowsXP SP2 InternetExlorer6 SP2 full-patched (Japanese version) - Version 6.0.2900.2180.xpsp_sp2_gdr.050301-1519 Filrefox 1.0.3 (en-US) - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) - Gecko/20050414 Firefox/1.0.3 Sorry too bad English. Thank you for your reading this true story. Best Regards. -- bitlance winter _________________________________________________________________ Don’t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/