have you fucked with a monopoly today?

By anders pearson 08 Feb 2001

i have.

a while back, i mentioned that IE was broken with respect to displaying images that had html in their comment field. what i didn’t mention at the time was that it was somewhat worse than that. IE5 on the mac not only didn’t display the image, but it would actually render the html, complete with javascript. this becomes a bit of a problem when you run a site that allows people to upload images but puts a lot of effort into removing harmful javascript from untrusted html. no admin in their right mind would think to scan images for javascript. if you remember all the fuss from a few months ago about “Cross Site Scripting” vulnerabilities or have a good imagination, you’ll see that this is actually a relatively severe problem.

anyway, when my coworker and i discovered it back in august or so, we got distracted and never really went beyond the “hmmm… we should probably tell someone about this” stage.

then, the other day, someone on a webdesign mailing list was complaining about IE ignoring mimetypes and i replied with an “oh, just let me tell you about IE ignoring mimetypes…” rant in which i mentioned this vulnerability we’d discovered. Kee Hinckley took it upon himself to write a quick perl script using this vulnerability to exploit a hotmail account (they work pretty hard to remove javascript from email coming in but — surprise, surprise — they don’t check images).

so, with a proof-of-concept exploit for a large site (one of probably thousands that would be vulnerable in various ways), we decided that it should be written up and posted to bugtraq.

so, if you use IE5 on the mac, IE4 on windows, (maybe other browsers too, we haven’t done too much testing yet) or run a website that allows users to upload images, you should take the necessary precautions. see the bugtraq link above for details.