Not unexpectedly, soon after Internet Explorer (IE) version 5.0 was released, security holes in this browser were discovered. Microsoft has already released some security fixes.

This week's security information is going to discuss two different aspects of a new "feature" in IE 5.0.

Some users of IE 5.0 may have noticed that when you add a web page to your Favorites list (called Booksmarks in Netscape) a special icon representing that list is displayed to the left of the web page title. In other circumstances the IE icon is displayed left to the title.

This has to do with the fact that Microsoft has implemented in Internet Explorer the ability to display a custom icon for that particular web site which is added to the Favorites list. When a user adds a web site to his Favorites list a request is sent to the web server for a file called favicon.ico in the webroot directory (or another place if configured to be such). If this file exists that icon is used and displayed to the left of the web page title, otherwise the default IE icon is used.

This has two different security implications - one, minor, for the Internet Explorer user, another, potentially more dangerous for the web site which is added to the Favorites list. Both have to do with the log files on the web server.

Implication for the user which adds a web page to Favorites list

As said above, every time a user adds a web site to his Favorites list a request is made to the web server for the file favicon.ico. This request is made whether this file exists or not on the web server or not, and no matter which web server is used.

Like other requests for files from a server this one is logged on a web server, along with information about which IP address did the request originate from, which browser was used, etc.

This combined information may be seen as a violation of a person's privacy.

However, most persons probably do not care if the owner of a web site they visit is aware of the fact that the site is added to the Favorite list.

The other implication is potentially more severe and have to do with

Implications for the site running the web server

As shown above, all requests for favicon.ico are logged in the web server's log files.

So what?

Well - try to use one of the search engines and search for favicon.ico to see if this shows some interesting results. And it surely does! As expected some of the hits are from web pages describing how to use favicon.ico, but a lot of the pages seem to be log files from web servers.

This is serious. Suddenly an intruder knows where the log file is located and she may perhaps even access the file without any user name and password. She did not even have to access the web site itself, which normally would be logged and/or detected by intrusion systems, but used a third party search engine.

A web server's log file may tell a lot about of that server, about the organization hosting the server, and about those who visit the server. Under some conditions it may even reveal user names and passwords which may be used to access restricted parts of the web.

It even has a privacy implication with respect to visitors to the web site. They might not be interested in their visit being exposed to persons outside that organization.

WebMaster's and those persons responsible for Internet security should be aware of this new vulnerability and perform the neccessary actions to secure the log files from unrestricted access from the Internet.

Per Olav Førland