Vulnerability Development mailing list archives
Re: Plain text files in internet explorer
From: Dan Kaminsky <dan () doxpara com>
Date: Mon, 02 Sep 2002 16:43:08 -0700
Great example. Look how elegantly web servers handle that *specific* little cluster.A tutorial site teaching basic HTML, which presents code snippets as text/plain to allow the student to read the markup, but would save to the hard disk as .html. What is .rpm? Is it a RPM Package Manager file, or a Realaudio Plugin? Both exist.
I'm serious; we have an extension <-> filetype LUT in the web server, the one component that cares least about the content, and it's breaking at precisely this point. Extensions are file types. Period.
What about .cgi that looks like HTML but declares itself to be text/plain?
Photoshop makes a JPEG. It's a JPEG. Imagemagick makes a JPEG. It's a JPEG. Some crazy hacker with a hex editor makes a JPEG. It's a JPEG.The implementation does not define the format. Exposing CGI/PHP/ASP is marketing, nothing more. We actually shouldn't be seeing foo.cgi...but if we are, I'll accept MIME type being used as a *hack* to expose the type of *backend* data.
So at the layer of the web server, he's going to subvert the GIF mapping into octet stream?Perhaps the author of a image archive site intends his .gif/.jpg/.bmp files to be downloaded straight, not rendered, so uses application/octet-stream.
Do consider how ridiculous this sounds.
You are correct about everything but type. In that case, empirical psychology and security theory trump your directionless abstract eighty three ways from sunday.That's a huge (and IMHO backward) paradigm shift. The Uniform Resource Locator is just that, a "handle" on some content. It does not specify the type of data, nor its size, age, TTL, language, caching characteristics etc. All of these belong out-of-band, so to speak, in the protocol headers.
http://www.foobar.com/movie.mpg is a direct handle to an mpeg movie. http://www.foobar.com/foobar.exe is a direct handle to an executable.Suppose for a moment we keep the URLs the same, but swap file content and MIME header (i.e. you go to download the movie and instead run the code in foobar.exe). Sure, this is an obvious breach of security, but it's something *more* than that. It's a spoofing attack. The user has as much a legitimate right to consider themselves downloading a batch of video data as they do to believe the content is coming from foobar.com.
Just as the web would be better off with most sites bothering to authenticate their content -- perhaps with HTTPS, perhaps with XML signatures -- because it would bring trust to the meaning extracted from the URL, so too the web would be better off with an enforced consistency between the data type presented to the user and the data type parsed.
There's few engineers who will praise the simultaneous genius of URLs, HTTP, and HTML as highly as myself. That they all spawned simultaneously is a feat of synergistic engineering unparalleled in recent memory. But MIME-types are a failure, and a stubborn refusal to admit such benefits nobody.
Yours Truly, Dan Kaminsky DoxPara Research http://www.doxpara.com
Current thread:
- Plain text files in internet explorer John Hennessy (Aug 31)
- RE: Plain text files in internet explorer Alan Ramsbottom (Sep 01)
- RE: Plain text files in internet explorer Bernie Cosell (Sep 01)
- Re: Plain text files in internet explorer Magnus Bodin (Sep 02)
- Re: Plain text files in internet explorer Dan Kaminsky (Sep 02)
- Re: Plain text files in internet explorer Philip Rowlands (Sep 02)
- Re: Plain text files in internet explorer Dan Kaminsky (Sep 03)
- Re: Plain text files in internet explorer Helmut Springer (Sep 03)
- Re: Plain text files in internet explorer Marc Slemko (Sep 03)
- Re: Plain text files in internet explorer Daniel Newby (Sep 04)
- RE: Plain text files in internet explorer Bernie Cosell (Sep 01)
- RE: Plain text files in internet explorer Alan Ramsbottom (Sep 01)
- GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer] Roland Postle (Sep 02)
- RE: GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer] Jason Coombs (Sep 03)
- Re: GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer] Gerhard den Hollander (Sep 03)
- RE: GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer] Dom De Vitto (Sep 03)
- Re: GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer] Blue Boar (Sep 03)
- Re: Plain text files in internet explorer Bernie Cosell (Sep 02)
- Re: Plain text files in internet explorer Eric Rostetter (Sep 03)