
Any ideas to prevent cross-site hacks that use IE's MHTML redirection bug? - benhoyt

======
benhoyt
I've just been tightening up our upcoming microPledge website --
<http://micropledge.com> \-- to prevent cross-site request forgery (CSRF). I
added a random SHA as a form key to each form.

But! Then I discovered this lovely IE security hole. An attacker can use
cross-domain JavaScript and an mhtml: redirect to grab the page, get the form
key, and then do the POST. Brilliant! Anyone have any experience in getting
around this?

(To test the vulnerability in your browser, go to
<http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/>
\-- my copy of IE6 was vulnerable, IE7 wasn't, and Fx doesn't support mhtml so
it's not.)

~~~
palish
Easy. Don't use IE6.

Really.. Stuff like this isn't about 'not supporting IE6'. It's about the time
spent not being worth it. :)

~~~
inklesspen
How are you going to keep your users from using IE6?

