Internet Explorer and Your Web Site's Privacy
Several months ago, Security Fix looked at a feature of Microsoft's Internet Explorer 6 Web browser that was difficult to fathom (see: Clipboard Data Theft Optional in IE7). While interviewing a source at the DEF CON hacker conference last week, I encountered another such "what-were-they-thinking" feature in Windows, which can occur when someone uses IE to initiate an FTP (File Transfer Protocol) connection to a Web site.
Web site administrators typically use FTP to move files from their computer up to their Web site, and vice versa. Most people probably use more full-featured, third-party FTP software to do this, but Microsoft Windows also includes its own built-in FTP functionality.
The problem is that if you FTP to your target site, open a Web page file (one that ends in ".html" for example) in IE6 and then save that file onto your computer, the browser will embed your FTP user name and password into the saved file. If you are unaware of this feature, and happen to later e-mail or otherwise share that saved file with anyone else, you will also give them the credentials they would need to add, modify or remove content on your Web site.
Don't take my word for it. If you're still using IE6 and administer a Web site, fire up FTP on Windows. To do this, open IE and type ftp:// in place of http://. After that, provide the user name for an FTP account that you have permission to modify (e.g., ftp://email@example.com). IE will then prompt you to enter your password, and after a successful login it will drop you into your Web site's main directory. Open a file in the FTP directory that ends in HTM, HTML or MHT, and then save it to your computer. Now, open the saved file in any Web browser and select "View," and then "View Source." Your credentials should be listed at the top of the source file.
The DEF CON attendee who showed me this bug -- a guy named Alex who runs security for a Midwestern brokerage firm -- said he first alerted Microsoft to this rather obvious problem in 2004. Microsoft's response, sent to Alex via e-mail, was that fixing it would require a "rearchitecture" of the feature, something Redmond typically would not attempt in one of its monthly security bulletins.
"Essentially, IE is designed to support FTP for convenience, but not to be a full-featured FTP client, which is why we include a separate FTP client in the operating system," wrote Christopher, a researcher with the Microsoft Security Response Center. "The reason IE includes the user name and password in saved files is because they are part of the URL. IE saves the URL in downloaded files so it can run them in an appropriate security zone at a later time, even though they are now located on the local system."
So, if Microsoft wouldn't fix this feature in a security bulletin, surely it would remedy it in a full rewrite of the browser, with the release of IE7, right?
Not quite. Trying to use the FTP functionality in IE7 was something of an annoying experience, as the browser kept refusing to serve certain pages after I connected to my FTP site. At first, it appeared Microsoft had indeed nixed this feature in IE7. However, if you select "View" from the menu tab (if you don't see the View menu in IE7, hit the "Alt" key), you should see the option "Open FTP Site in Windows Explorer." Web page files opened and saved from an FTP site using this method also contain the user's FTP login credentials.
What makes this a big deal? Consider the following. Let's say you use IE to pull down a few HTML files off of your Web site. After viewing the file in IE and making a couple of changes, you save the document and FTP it back to your site. Congratulations. If anyone viewing that page or document happens to check the source, they will then have the user name and password needed to control your Web server.
Update, Aug. 13, 3:32 p.m.: Vulnerability watcher Secunia has posted an advisory about this issue, which credits Security Fix as the source.
August 7, 2007; 1:30 PM ET
Categories: From the Bunker , Latest Warnings , Safety Tips
Save & Share: Previous: Citing Security Concerns, California Limits E-Voting
Next: Watch Out for Fake Tax 'Rebate' Sites
Posted by: C.B. | August 7, 2007 2:07 PM | Report abuse
Posted by: Douglas Spencer | August 7, 2007 5:27 PM | Report abuse
Posted by: antibozo | August 7, 2007 6:28 PM | Report abuse
Posted by: Beau | August 7, 2007 7:18 PM | Report abuse
Posted by: antibozo | August 7, 2007 7:49 PM | Report abuse
Posted by: Anonymous | August 8, 2007 11:07 AM | Report abuse
Posted by: Snorty | August 8, 2007 1:34 PM | Report abuse
Posted by: f1re | August 10, 2007 12:41 PM | Report abuse
Posted by: fgf | August 10, 2007 1:31 PM | Report abuse
Posted by: logic | August 10, 2007 1:36 PM | Report abuse
Posted by: logic | August 10, 2007 1:37 PM | Report abuse
Posted by: DA | August 10, 2007 2:29 PM | Report abuse
Posted by: antibozo | August 10, 2007 2:29 PM | Report abuse
Posted by: Bk | August 10, 2007 4:41 PM | Report abuse
Posted by: nikon | August 12, 2007 9:50 AM | Report abuse
Posted by: Rick | August 12, 2007 2:37 PM | Report abuse
Posted by: Dan Kaminsky | August 12, 2007 9:57 PM | Report abuse
Posted by: antibozo | August 13, 2007 1:37 AM | Report abuse
Posted by: Dan Kaminsky | August 13, 2007 10:50 AM | Report abuse
Posted by: antibozo | August 13, 2007 12:09 PM | Report abuse
Posted by: Rick | August 13, 2007 12:42 PM | Report abuse
Posted by: Alex | August 13, 2007 2:36 PM | Report abuse
Posted by: jotaele | August 17, 2007 4:44 AM | Report abuse
Posted by: webmaster | August 21, 2007 4:42 AM | Report abuse
The comments to this entry are closed.