Re: confused about web servers

To: debian-user@lists.debian.org
Subject: Re: confused about web servers
From: Joe <joe@jretrading.com>
Date: Fri, 15 Feb 2008 19:14:33 +0000
Message-id: <[🔎] fp4oaq$55k$1$8302bc10@news.demon.co.uk>
In-reply-to: <9XbC9-7uU-31@gated-at.bofh.it>
References: <[🔎] 200802150053.m1F0rDeB024135@syrano.acb.uc.edu> <[🔎] 20080215012101.GB2392@lifeintegrity.com> <[🔎] 20080215162358.GC27524@sherohman.org>

Dave Sherohman wrote:


Some years ago, I was working on a web-based voicemail/telephony
interface and discovered that the then-current version of MSIE would
look at the last portion of retrieved URLs and, if they looked like a
recognized file extension, it would completely ignore Content-Type and
attempt to behave based on the extension.  I lost a fair bit of time
trying to figure out why it kept trying to execute the page returned
(with Content-Type text/plain!) when I started testing login with an
email address.  MSIE saw

http://some.server.com/foo?blah=blah&email=bar@baz.com

as a .com file and wanted to treat it accordingly...

I'm pretty sure that's been fixed by now (or at least I really hope it
has, given the security implications!), but I could see it happening
again.

Yes, that was the basis of a fair few viruses. E.g. content type: midior wav. Hey, that's a safe file, I'll pass it over to the executionhandler to play it. The execution handler looks at it, sees a .exe file,knows that IE has certified it safe to run and runs it.


Another of those 'what *were* they thinking of?' moments.

Reply to:

References:
- confused about web servers
  - From: Steve Kleene <skdeb@syrano.acb.uc.edu>
- Re: confused about web servers
  - From: Allan Wind <allan_wind@lifeintegrity.com>
- Re: confused about web servers
  - From: Dave Sherohman <dave@sherohman.org>

Prev by Date: Re: New User- Network Problem
Next by Date: compaq nx6120
Previous by thread: Re: confused about web servers
Next by thread: Release: VMKnoppix for x86(20080213)
Index(es):
- Date
- Thread