COMMAND

    Internet Explorer

SYSTEMS AFFECTED

    IE 5.0

PROBLEM

    Frank Knobbe found following.   The information exposed by IE5  is
    stored in the URL history file (index.dat) in clear text:

        ftp://uname:password@ftp.example.co.jp

    And, worst of  all, URL history  files (index.dat) themselves  are
    not protected by ACL  (null ACL) by default.   So, every user  who
    can access  to the  winnt directory,  can access  to other  user's
    index.dat files and get his/her  URL histories.  The following  is
    the scenario;

    - By default, IE5 stores URL histories in;

        \winnt\profiles\[user]\history\history.ie5\index.dat

      or

        \winnt\profiles\[user]\history\history.ie5\MSHist......\index.dat

    - By default, these  index.dat files themselves are  not protected
      by ACL.

    - By default, Everyone has "Bypass traverse checking" right.
      Therefore everyone who can access to winnt directory, can access
      to other user's index.dat files.

    - For  example,  Guest  user  can  access  to Administrator's  URL
      histories by using following command line;

        find "//"<\winnt\profiles\administrator\history\history.ie5\index.dat

    (of course, "Guest" is just an example).  This has been  confirmed
    on:

        - Windows NT4.0 SP4 (JP) IE5 5.00.2014.0216
        - Windows NT4.0 SP4 (US) IE5
        - Windows 2000 Beta3 (JP) IE5 5.00.2516.1900
        - Windows 2000 RC1 (JP) IE5 5.00.2919.800

SOLUTION

    Microsoft is  currently changing  how IE5  handles FTP  passwords.
    But as  regards the  URL histories  (index.dat null  ACL problem),
    they said that it's due to poor administrative procedures,  rather
    than   a   product   vulnerability.    MS   gave   the   following
    recommendations;

        a) remove  "Bypass  Traverse  Checking"  for  everyone  except
           administrators

        b) set the  permissions on all  directories and files  in each
           user's profile, to  allow only the  owner (and possibly  an
           administrator) to access them

        c) disable  URL  histories  if  the  URLs  contain   sensitive
           information like passwords

        d) use the FTP  client, rather than IE,  in cases where it  is
           unacceptable to pass the password as part of the URL

    b) does  not work  fine because  IE5 creates  index.dat file every
    day under the MSHist.... directory  without ACL.  (So you  have to
    reset the permissions every day).