Full Disclosure mailing list archives
Re: Microsoft Internet Explorer Content-Disposition HTML File Handling Flaw
From: Steven Rakick <stevenrakick () yahoo com>
Date: Tue, 11 Apr 2006 06:15:01 -0700 (PDT)
I don't see how this is a security issue...
-- Original Message --
Date: Mon, 10 Apr 2006 10:22:43 -0400
From: "Darren Bounds" <dbounds () gmail com>
Subject: [Full-disclosure] Microsoft Internet Explorer
Content-Disposition HTML File Handling Flaw
To: full-disclosure () lists grok org uk,
webappsec () securityfocus com
Message-ID:
<26563eca0604100722p4f9878dfjc91a646ed31b80a8 () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1
Microsoft Internet Explorer Content-Disposition HTML
File Handling Flaw
April 10, 2006
Content-Disposition (defined in RFC 2183) is often
used by web
application developers as a mechanism to instruct the
web browser on
how it should handle a file download. This is commonly
used to help
prevent access to the application scope when handling
file attachments
and mitigates the ability to leverage client-side
attacks, such as
XSS, through file downloads.
While Internet Explorer does handle downloading most
file types
correctly with Content-Disposition, it mishandles HTML
files and
instead opens them inline, exposing the application
scope. As such, it
is strongly advisable that web-based software vendors
use alternative
methods to mitigate this class of attack.
A simple PoC is available at the following URL:
http://xs.vc/content-disposition/
Feel free to compare the results of Firefox and IE.
Vulnerable Versions:
All versions up to and including Internet Explorer 7
Beta 2.
References:
http://www.faqs.org/rfcs/rfc2183.html
http://support.microsoft.com/kb/182315/
http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/moniker/overview/mime_handling.asp
I felt it was necessary to make this flaw public now
because while the
weakness results from IEs flawed support of RFC 2183,
the exposure is
with the 3rd party applications which support it.
Due to the simplicity of exploitation, it is not
unlikely this is
being used in the wild.
Thank you,
Darren Bounds
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft Internet Explorer Content-Disposition HTML File Handling Flaw Darren Bounds (Apr 10)
- Re: Microsoft Internet Explorer Content-Disposition HTML File Handling Flaw Darren Bounds (Apr 11)
- <Possible follow-ups>
- Re: Microsoft Internet Explorer Content-Disposition HTML File Handling Flaw Steven Rakick (Apr 11)
- Re: Microsoft Internet Explorer Content-Disposition HTML File Handling Flaw Darren Bounds (Apr 11)