Security issue with an HTA frame

  • Thread starter Thread starter Oriane
  • Start date Start date
O

Oriane

Hi there,

In order to open a web site in a windows form, I use this little hta file :

<HTML>
<HEAD>
<TITLE>Stibil</TITLE>
<HTA:APPLICATION ID="Stibil" / >
<SCRIPT TYPE="text/Javascript">
window.moveTo(20,20);
</SCRIPT>
</HEAD>
<BODY>
<IFRAME SRC="http://stibil.fr/default.aspx" APPLICATION="No"
STYLE="width:100%;height:100%;"></IFRAME>
</BODY>
</HTML>

http://stibil.fr is my Asp.net web application, with a "forms"
authentication. So I get the login form page, and I enter my password and
login name, and then I should see the default.aspx page. But I have again
the login page inside the HTA window.

When I open directly http://stibil.fr/default.aspx, I've got no problem.

To bypass this problem, I have set http://stibil.fr as a trusted site in
Internet Explorer, and now it's ok. But I'm not satisfied with that solution
since I can't ask all my intranet clients to do that. And moreover, I can't
see why my default.aspx page could cause a security risk form my computer.

Any hint ?

Best regards
 
Oriane said:
Hi there,

In order to open a web site in a windows form, I use this little hta file
:

<HTML>
<HEAD>
<TITLE>Stibil</TITLE>
<HTA:APPLICATION ID="Stibil" / >
<SCRIPT TYPE="text/Javascript">
window.moveTo(20,20);
</SCRIPT>
</HEAD>
<BODY>
<IFRAME SRC="http://stibil.fr/default.aspx" APPLICATION="No"
STYLE="width:100%;height:100%;"></IFRAME>
</BODY>
</HTML>

http://stibil.fr is my Asp.net web application, with a "forms"
authentication. So I get the login form page, and I enter my password and
login name, and then I should see the default.aspx page. But I have again
the login page inside the HTA window.

When I open directly http://stibil.fr/default.aspx, I've got no problem.

To bypass this problem, I have set http://stibil.fr as a trusted site in
Internet Explorer, and now it's ok. But I'm not satisfied with that
solution since I can't ask all my intranet clients to do that. And
moreover, I can't see why my default.aspx page could cause a security risk
form my computer.

Any hint ?

Best regards
Click to expand...
Have you tried setting 'Application' to 'Yes'?
 
Hi Oriane,

Quote from Oriane=================================================
http://stibil.fr is my Asp.net web application, with a "forms"
authentication. So I get the login form page, and I enter my password and
login name, and then I should see the default.aspx page. But I have again
the login page inside the HTA window.
=================================================

Do you mean when the page is in the iframe, even though you input the
correct username and password you are sill navigated to the Login page? I
have tested your code but cannot reproduce this problem on my side.

Could you provide your environment such as the operating system and IE
version so that I can try to repro it?

Regards,
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://support.microsoft.com/select/default.aspx?target=assistance&ln=en-us.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Oriane" <[email protected]>
| Subject: Security issue with an HTA frame
| Date: Wed, 22 Oct 2008 09:51:31 +0200
| Lines: 34
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
| X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: net1.yris-technologie.com 213.41.243.88
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet:78329
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Hi there,
|
| In order to open a web site in a windows form, I use this little hta file
:
|
| <HTML>
| <HEAD>
| <TITLE>Stibil</TITLE>
| <HTA:APPLICATION ID="Stibil" / >
| <SCRIPT TYPE="text/Javascript">
| window.moveTo(20,20);
| </SCRIPT>
| </HEAD>
| <BODY>
| <IFRAME SRC="http://stibil.fr/default.aspx" APPLICATION="No"
| STYLE="width:100%;height:100%;"></IFRAME>
| </BODY>
| </HTML>
|
| http://stibil.fr is my Asp.net web application, with a "forms"
| authentication. So I get the login form page, and I enter my password and
| login name, and then I should see the default.aspx page. But I have again
| the login page inside the HTA window.
|
| When I open directly http://stibil.fr/default.aspx, I've got no problem.
|
| To bypass this problem, I have set http://stibil.fr as a trusted site in
| Internet Explorer, and now it's ok. But I'm not satisfied with that
solution
| since I can't ask all my intranet clients to do that. And moreover, I
can't
| see why my default.aspx page could cause a security risk form my computer.
|
| Any hint ?
|
| Best regards
|
|
 
Hi Allen,
Allen Chen said:
Hi Oriane,


Do you mean when the page is in the iframe, even though you input the
correct username and password you are sill navigated to the Login page? Yes

I have tested your code but cannot reproduce this problem on my side.
Click to expand...
Indeed, this problem occurs only with my asp.net intranet site. This is an
Ajax Asp.Net site where I use extenders from the Ajax Toolkit (with the
framework 3.5 SP1).
Could you provide your environment such as the operating system and IE
version so that I can try to repro it?
Click to expand...
This problem occurs on Vista/XP with any version of IE. But, I can't give
you my site... I will try with a simple Ajax site, and send you the source
code if I can reproduce it.

Thank you for your answer.
 
I think I know why this problem occurs: I've set my site on IP port 80 with
the host header: "Stibil.fr". The DNS on my company site has been updated in
order that "stibil.fr" is linked with my web server IP.

Now I can't see why this interfere with the Hta security, but it seems to...
 
Hi Oriane,

To investigate this issue, I'd like to reproduce it on a Vista SP1 machine
with IE 7 installed. Could you tell me how to reproduce this problem on a
clean machine? Please provide the information as detailed as possible so
that I can reproduce exactly the same environment as yours.

Regards,
Allen Chen
Microsoft Online Support

--------------------
| From: "Oriane" <[email protected]>
| References: <[email protected]>
<[email protected]>
| In-Reply-To: <[email protected]>
| Subject: Re: Security issue with an HTA frame
| Date: Wed, 22 Oct 2008 15:22:30 +0200
| Lines: 6
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
| X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: net1.yris-technologie.com 213.41.243.88
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet:78356
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| I think I know why this problem occurs: I've set my site on IP port 80
with
| the host header: "Stibil.fr". The DNS on my company site has been updated
in
| order that "stibil.fr" is linked with my web server IP.
|
| Now I can't see why this interfere with the Hta security, but it seems
to...
|
|
 
Hi Allen,

Allen Chen said:
Hi Oriane,

To investigate this issue, I'd like to reproduce it on a Vista SP1 machine
with IE 7 installed. Could you tell me how to reproduce this problem on a
clean machine? Please provide the information as detailed as possible so
that I can reproduce exactly the same environment as yours.
Click to expand...

You can reproduce it on Windows Server 2003 SP2 :
- take a asp.net 2.0 site with a "forms" authentication;
- make the default page on default.aspx (anyway, an aspx file)
- add a host header, for instance www.myex.com on port 80;
- of course update your DNS with an host entry for www.myex.com --> server
IP ;
- then buid the HTA file

And you won't be able to access the default page with correct credentials.

I didn't try on Vista SP1, but I will asap.

Oriane
 
With IIS7 on Vista SP1, the problem does not occur. When I told you
yesterday that the problem occurs on Windows XP/Vista, I talked about the
client environment.
 
Hi Oriane,

Thanks for your information. I've reproduced this issue on my side. If an
internet site (your stibil.fr is considered as an internet site because
it's not in the same domain of the machine where the IE runs) is not added
to the trusted sites zone, when using iframe to show the site the cookie
cannot persist.

To work it around we can set http header. Please refer to this article:
http://adamyoung.net/IE-Blocking-iFrame-Cookies

To do this in ASP.NET we can add a new item called global.asax to the
project and add following content in this file:

<%@ Application Language="C#" %>

<script language="C#" runat="server">
protected void Application_BeginRequest(object sender,
EventArgs e)
{
this.Context.Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi
PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
}


</script>

Please have a try and let me know if it works.

Regards,
Allen Chen
Microsoft Online Support

--------------------
| From: "Oriane" <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| In-Reply-To: <[email protected]>
| Subject: Re: Security issue with an HTA frame
| Date: Thu, 23 Oct 2008 15:27:44 +0200
| Lines: 4
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
| X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: net1.yris-technologie.com 213.41.243.88
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet:78468
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| With IIS7 on Vista SP1, the problem does not occur. When I told you
| yesterday that the problem occurs on Windows XP/Vista, I talked about the
| client environment.
|
|
 
Hi Allen,

"Allen Chen [MSFT]" <[email protected]> a écrit dans le message
de [...]
To work it around we can set http header. Please refer to this article:
http://adamyoung.net/IE-Blocking-iFrame-Cookies

To do this in ASP.NET we can add a new item called global.asax to the
project and add following content in this file:

<%@ Application Language="C#" %>

<script language="C#" runat="server">
protected void Application_BeginRequest(object sender,
EventArgs e)
{
this.Context.Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi
PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
}


</script>

Please have a try and let me know if it works.
Click to expand...
It works :-)

Thanks a lot
 
Back
Top