Hi
Does anyone know how to block or redirect pages that contain a response
header / redirection Location-header containing the string "URL:" ?
Best Regards,
Morten Lange
~~~~~~~~~~~~~
Background :
~~~~~~~~~~~~~
http://secunia.com/advisories/11793/ :
1) A variant of the "Location:" local resource access vulnerability can
be exploited via a specially crafted URL in the "Location:" HTTP header
to open local files.
Example:
"Location: URL:ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm"
[...]
Solution:
- Disable Active Scripting support for all but trusted web sites.
- Filter "Location:" headers containing the "URL:" prefix in a proxy
server. - Use another browser.
Also see
http://www.kb.cert.org/vuls/id/713878
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.30
-- Morten Lange But my views are my own etc.Received on Thu Jul 08 2004 - 21:26:36 MDT
This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:01 MDT