To all,
I need some help please. I've been seeing "favicon.ico" in my http
access logs. Didn't have a clue to what it was till I read Risks Digest
20.30. Here's an excerpt from their newsletter:
Risks Digest 20.30:
In case you haven't heard, Microsoft has a new feature in IE 5.0 web
browser. When you add a website to you "Favorites" (aka. Bookmarks for
you
Netscape users), the browser attempts to download a graphic called
"favicon.ico", then show that icon along with the title of the webpage.
This has two risks.
First of all, the website owner is notified when you the page to your
favorites, revealing information about yourself. A discussion of this
can be
found at
http://msdn.microsoft.com/workshop/essentials/versions/ICPIE5.asp
This privacy risk is probably minor, but I've seen several press
articles on
the subject.
The second RISK is much more severe. Go to AltaVista (or any search
engine)
and search for "favicon.ico". You now have a list of 500 websites that
expose their access logs. In the logs, you can find several websites
that
expose the URLs of CGI scripts, including passwords. Through manual
searching, I found 2 sites that exposed logon information; I'm sure I
can
write a program that would scan those logs to look for CGI programs and
get
even more. This also exposes even more privacy information because these
logs often contain the Referer field as well.
This isn't unique to "favicon.ico". The RISK is really:
* people are unintentionally exposing access logs on their web sites,
exposing user information and possible passwords.
* hackers can easily find vulnerable systems not by scanning the site
itself
(which can be detected by intrusion detection systems), but by
searching a
3rd party like AltaVista.
Me again: That's what Risks says, now here's the excerpt from
Microsoft's site:
Brand Your Favorites
Here's a no-brainer: If you want your logo to appear next to the link
to your site in the browser when users add your site to their favorites,
just add a file called favicon.ico in the root of your domain (e.g.,
www.microsoft.com/favicon.ico). Internet Explorer will automatically
look for this file and will put your icon next to all favorites and
quick links that come from your site. If you can't put it at the root of
your server, you can specify another location on a per-page basis by
adding this tag to your page:
<LINK REL="SHORTCUT ICON" href="/path/foo.ico">
While you're at it, you can also add a button or link in your page
that prompts your users to add your page to their favorites. If they
confirm, your page is automatically added to their favorites. You can
copy and paste the code below right into your page to try this out.
<SCRIPT>
<!--
if ((navigator.appVersion.indexOf("MSIE") > 0)
&& (parseInt(navigator.appVersion) >= 4)) {
document.write("<U>
<SPAN STYLE='color:blue;cursor:hand;'
onclick='window.external.
AddFavorite(location.href, document.title);'>
Add this page to your favorites</SPAN>
</U>");
}
//-->
</SCRIPT>
Me again: I just don't see the "RISK" that they point out. Could
anyone please point me to the err of my ways (or theirs).
Thanks for everyone's time,
Michael Sorbera
Webmaster
Randolph-Brooks Federal Credit Union
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
