Category Archives: Microsoft

Microsoft products and services.

Microsoft Security

After running Windows Update recently to install the latest patch, I came accross this warning message. I thought this message was very indicative of the current state of Microsoft products, and thought it was quite funny. The message stated the following, and offered a choice of Yes or No:

Microsoft GDI+ Detection Tool

The software tool has detected that you are running Microsoft software that may contain a security vulnerability. There are security updates available from Microsoft that fix this security vulnerability.

Would you like to learn more about the security vulnerability as well as the necessary security updates that address it? (Note that if you click No this tool will not prompt you again.)

File Upload Security

Recently, from a post sent by Peter-Paul Koch to css-discuss, I discovered a security flaw using <input type="file"> controls, CSS and JavaScript. Peter’s explained a techniqe that allows authors to have more control over the style of file upload controls. For those of you who don’t know, browser vendors limit the amount of styling and DOM access to file upload controls for security reasons. This technique can be used to make the user think they are simply entering text into an ordinary text box, when infact they are entering it into a file upload control.

It works by positioning an ordinary text box underneath a file upload control and then setting opacity for the file upload control to 0:

input.file {
    /* Assumes the file upload control has a
     * class="file" attribute
     */
    -moz-opacity: 0; /* For Mozilla */
    opacity: 0;      /* For CSS3 compliant UAs including
                      * recent Mozilla builds */
    filter:alpha(opacity: 0); /* For IE */
}

JavaScript is used to copy the text from the file upload control to the text box behind, as it’s entered by the user. This security hole applies to Mozilla, Firefox and Internet Explorer.

I created some demonstrations to show how this could potentially be used. Combine that with the security holes discussed in bug 57770, and that’s quite a serious exploit. I reported it on bugzilla, and to Microsoft. Although Microsoft’s feedback mechanism was not very easy to find, I eventually found an e-mail address and actually recieved a prompt reply thanking me for taking the time to contact them with my constructive feedback (It was not just an automated response). I’m yet to hear anything from Bugzilla, nor a reply to my post to the WHAT-WG mailing list. Let me know how serious you think this is, or if you feel like putting it to some practical use. ?

PS. I still have 2 GMail invites available. e-mail me if you want one.

Validating (X)HTML With IE Using File Upload

Warning: The following describes how to modify the registry in order to trick Windows XP SP2 into allowing text/html to be sent with file uploads. This hack has known side affects which may affect other applications running on your system, some of which are discussed in the comments. As a result, I accept no responsibility for damage caused to your system as a result of applying this hack, and this solution is provided as-is, with no guarentee, warranty or support. If you do not understand the regitry, nor how to reverse any change, then do not apply these changes – use them at your own risk.

Update: This technique is no longer required for HTML. Please see Validation by file upload and Internet Explorer on WinXP SP2

After downloading Windows XP Service Pack 2 recently, I was shocked that IE was now sending HTML documents with a .htm or .html extension as text/plain, thus causing any the W3C Markup Validator to issue this warning message:

Sorry, I am unable to validate this document because its content type is text/plain, which is not currently supported by this service.

The Content-Type field is sent by your web server (or web browser if you use the file upload interface) and depends on its configuration. Commonly, web servers will have a mapping of filename extensions (such as “.html”) to MIME Content-Type values (such as text/html).

That you recieved this message can mean that your server is not configured correctly, that your file does not have the correct filename extension, or that you are attempting to validate a file type that we do not support yet. In the latter case you should let us know that you need us to support that content type (please include all relevant details, including the URL to the standards document defining the content type) using the instructions on the Feedback Page.

This essentially means that it was impossible to validate any local HTML document using IE. This is really annoying, especially for any unfortunate developers who are forced to develop using only IE at work. Although I do pity anyone in that situation, there is now some relief!

After spending about half an hour searching through the registry for any setting that could be causing .html files to be sent as text/plain, I realised that it would be eaiser to find where the setting for other content types that do work, such as CSS. So, I found the setting for that, modified, and tested. When the CSS Content Type value was set to anything but text/html, IE uploaded the file with that MIME type. Thus, I came to the conclusion that it was not that the setting was incorrect, but that something in Windows security was preventing any text/html content being sent by changing it to text/plain on the way.

After that, I tried setting the valud for .html files to another type that the validator may support, such as text/sgml or application/sgml, but sadly, without luck! But, just before giving up all hope, I realised that perhaps Windows security, being as insecure as ever, is only checking for an exact match on the content type being set by IE with file uploads. I was correct!

In a normal HTTP header, the Content-Type can also include a charset parameter. For example:

Content-Type: text/html; charset=UTF-8

So, I figured, what if I want IE to send a charset parameter also. I set the Content Type value in the registry to that above, and it worked perfectly — the file validated!!! However, the charset will not always be UTF-8, or any other charset for that matter, so I removed the chaset parameter, and was left with the value text/html; That extra little semi-colon on the end is enough to bypass Windows security, and validate any HTML file.

Then, I remembered that IE also does not know how to validate XHTML documents either. So, I went to the registry key for .xhtml files, added the application/xhtml+xml MIME type, tested and Guess What! It Worked.

I have exported the required settings from the registry and they are availble here. IE6-SP2-Content-Type-text-html.reg will fix the value for text/html, and IE6-SP2-Content-Type-application-xhtml+xml.reg will add the MIME type for XHTML documents. Download them both, inspect their contents to ensure that they are safe, and apply them by launching them. You will be prompted by Windows to confirm that you want to apply the settings.

Update: For any users of ICQ: If you use change the text/html value to text/html; then each time the ICQ advertisement rotates, you may be prompted to save the file, because it is an unknown file type. I don’t konw why this happens, because IE still works the same as always — full of bugs! But for some reason it affects ICQ. I recommend you only apply that work around on computers that you do not use ICQ on, or else change it each time you need to validate with IE.