On Tue, 2005-01-11 at 23:49 -0800, Brion Vibber wrote:
In Windows XP SP2, IE now has an option to turn off
some of this
autodetection, though I'm not sure it fixes all such holes. The unsafe
behavior is on by default.
Brion,
in my test only 5.0 exhibits this bug, 5.5 and 6.0 both offer to save
the file (both on Win2K). For them the behaviour with php is unchanged.
There are likely more interesting exploits with 5.0 anyway, possibly
requiring more effort from the attacker.
The workaround is to require that a 'raw'
access be made from a
canonical script URL, which will have a nice boring .php or .phtml
extension and doesn't trigger the IE type autodetection bug. I did this
with a redirect (instead of simply a 403 rejection) to preserve
existing links.
Unfortunately this breaks wikis where edit/diff etc urls are supposed to
be short and tidy. There the browser gets stuck in an endless
redirection loop. It's not too hard to fix this though, will change it
in the next days.
--
Gabriel Wicke
MediaWiki hosting, support and development
http://wikidev.net wicke(a)wikidev.net
Tel(SIP) +49 (0)1801-7775555258, Mob +49 (0)177 2065127
Eckernförder Str.58, 24116 Kiel