OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1997: IE4 and channels

IE4 and channels

Jon Cargille (jonathan.cargilleCyberSafe.COM)
Thu, 2 Oct 1997 11:13:55 -0700 

Alan Cox writes:
   Just a teaser to start with: Most folks will remember the netscape java
   bug that allowed you to snoop on what people where visiting. Well IE4.0
   goes a bit further than this - Logging of your actions, even when you
   would otherwise be shielded by proxies is _BUILT_ _IN_

Are you sure that the PUT/POST isn't directed through your proxy?  And
are you sure that the client's ip-addr is exposed if posting through a
proxy?

If a proxy is used for the POST, then the client's ip-addr is shielded
from that transaction at least.  And I'd be willing to put money on
the IE implementation respecting your proxy settings for the POST,
since it is in their own best interest; otherwise, content provides
would lose useful logs from all those sites hidden behind firewalls,
where proxies are required for all access.  ;-)

The only real question is whether the the logs that are uploaded also
reveal your IP addr, and I don't know the answer to that question.
The "Extended Log File Format [W3C-WD-logfile]" that IE uses for the
logs certainly _supports_ client ip-addr as one of the fields in the
log, but is by no means a _required_ field.  So, the logs that are
being uploaded may be innocuous in that regard (I haven't checked).
If not, that would be an issue.

If the ip-addr isn't in the log, and proxies are used for the POST
connection, then the functionality and the privacy implications are
essentially identical to normal web use (HTTP GETs are logged on every
server anyway).

   The channel definition format (.CDF)
   http://www.microsoft.com/standards/cdf-f.htm

   includes a LOGTARGET feature that allows a web site provider to make
   your browser deliver logs of your usage via an http post or put. Even hits
   from cache are logged.

The addition of hits in cache is slightly different, but not really
disturbing; most sites don't put "Expires" headers in their content,
in an attempt to log future (cached) accesses anyway (due to the
Get-if-modified check of cache freshness).

   This is all not so good and getting worse. Not only is the information posted
   material you wouldn't want to give to a provider it also being http post/put
   normally is spoofable anyway.

Just as your current HTTP GETs are current spoofable.

   Unanswered question for next time - or for folks with more time than me
   to follow up

   o       Can you put other sites in your channel definition and get logs of
           when they read your competitor site

Nope, at least not according to the design (though implementation bugs
are possible).

>From the CDF spec:

> An ITEM can be logged only if the path of the ITEM's HREF attribute
> falls under the path of the CDF's URL or the path of the LOGTARGET's
> HREF.

So, you could only capture logs of your competitors site if they're
silly enough to host your CDF file for you.  Or if you spoofed DNS to
capture accesses destined for their site, and shoved the CDF down such
a spoofed connection; but that's no different than spoofing DNS and
capturing normal HTTP GETs to monitor accesses to a competitor's site.

Jon

--
Jon Cargille                    Jonathan.CargilleCyberSafe.com
"I said it; I claim it; don't blame my employer or anyone else for it."