Date: Ср, 12 янв 2000 18:55:19
От: Microsoft Product Security Response Team <secure@microsoft.com>
Кому: "'Russ'" <Russ.Cooper@rc.on.ca>, "'3APA3A'" <3APA3A@SECURITY.NNOV.RU>
Тема: RE: Re[2]: MS IE5 + ftp proxy
--------------------------------------------------------------------------------
Absolutely -- we're not disagreeing at all that it's a bug and we need
to fix it. I was just trying to make the point that, although we do
need to fix it, it doesn't place any customers at risk and so should be
treated as a high-priority bug but not an emergency. Hope I didn't
leave any other impression. Cheers,
Secure@microsoft.com
-----Original Message-----
From: Russ [mailto:Russ.Cooper@rc.on.ca]
Sent: Wednesday, January 12, 2000 4:50 AM
To: '3APA3A'; Microsoft Product Security Response Team
Cc: Russ
Subject: RE: Re[2]: MS IE5 + ftp proxy
Microsoft;
This issue IS a security bug, not a security vulnerability. If proxy use
has
been configured, then nothing should silently usurp it. The fact that
this
isn't exploitable does not take away from the very real fact that it
will
baffle security administrators who think their browser clients have been
constrained to proxy use.
I'll be releasing the message to NTBugtraq.
Cheers,
Russ - NTBugtraq Editor
-----Original Message-----
From: 3APA3A [mailto:3APA3A@SECURITY.NNOV.RU]
Sent: Wednesday, January 12, 2000 4:12 AM
To: Microsoft Product Security Response Team
Cc: 'russ@rc.on.ca'
Subject: Re[2]: MS IE5 + ftp proxy
Hello Microsoft,
Wednesday, January 12, 2000, 3:39:37 AM, you wrote:
MPSRT> Hi -
MPSRT> Wanted to get back in touch and let you know what the status of
the
MPSRT> investigation is. This doesn't look like a security
vulnerability,
MPSRT> because there's no capability for someone to alter or read data
without
But it makes a risk for people who uses proxy for security reasons,
i.e. to hide their ip's or to access ftp through ipfw.
In any case it's not a big hole since it's solvable.
MPSRT> permission, usurp administrative control of the machine, or deny
MPSRT> service. However, we would like to evaluate this as a potential
bug.
MPSRT> Would you be willing to provide some data about your DNS servers
to
help
MPSRT> the engineers troubleshoot? Thanks,
I use DNS ns.sci-nnov.ru [195.122.226.2] (FreeBSD 3.2-RELEASE, bind
8.1).
But i don't see how this could depend on DNS. It doesn't meter if i
use ip or host name and it doesn't depend on FTP server - i tried few.
Russian version of IE5.0 also has the same bug, option has different
name and action of this option is inverted.
--
Best regards,
3APA3A
P.S.
MCP, MCP+I, MCSE
MPSRT> Secure@microsoft.com
MPSRT> -----Original Message-----
MPSRT> From: Microsoft Product Security Response Team
MPSRT> Sent: Monday, January 10, 2000 7:58 PM
MPSRT> To: '3APA3A'; 'russ@rc.on.ca'
MPSRT> Subject: RE: MS IE5 + ftp proxy
MPSRT> Hi -
MPSRT> Thanks for your note. I'll ask the IE development team to
investigate
MPSRT> this right away. Regards,
MPSRT> Secure@microsoft.com
MPSRT> -----Original Message-----
MPSRT> From: 3APA3A [mailto:3APA3A@SECURITY.NNOV.RU]
MPSRT> Sent: Monday, January 10, 2000 7:14 AM
MPSRT> To: Microsoft Product Security Response Team;
MPSRT> NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
MPSRT> Subject: MS IE5 + ftp proxy
MPSRT> Hello,
MPSRT> Sorry if this problem was noticed before.
MPSRT> Problem: IE5 doesn't uses proxy for FTP connection if the
option
MPSRT> "Enable folder view for FTP sites" is checked. This
option
is
MPSRT> checked by default.
MPSRT> Configuration: tested in 2 configurations:
MPSRT> 1. Windows NT 4.0 wrkst + SP5 + IE5.0
MPSRT> 2. Windows NT 4.0 wrkst + SP6a + IE5.01
MPSRT> both has a problems.
MPSRT> There is no problem under SP5 + IE401SP1a
MPSRT> Description:
MPSRT> FTP proxy address is set in browser configuration (or option
"use
MPSRT> one proxy for all protocols" is checked), but IE5 doesn't
uses
the
MPSRT> proxy for data connection, but tries to use direct
connection
MPSRT> instead. Since IE5 uses active ftp mode and couldn't be
configures
MPSRT> to use passive (that isn't good) this fact makes
problem
for
MPSRT> firewalling.
