Vulnerability Development mailing list archives
Re: Plain text files in internet explorer
From: Benjamin Elijah Griffin <bgriffin () gracenote com>
Date: Tue, 3 Sep 2002 12:21:05 -0700
Dan Kaminsky <dan () doxpara com> wrote:
I'm serious; we have an extension <-> filetype LUT in the web server, the one component that cares least about the content, and it's breaking at precisely this point. Extensions are file types. Period.
If only it were that easy.
Photoshop makes a JPEG. It's a JPEG. Imagemagick makes a JPEG. It's a JPEG. Some crazy hacker with a hex editor makes a JPEG. It's a JPEG.
Sure, fine. By my SpiffyOS has a great way to store the filetype outside the filename. So, I use the filename to store special attributes to the file, such as bullet.red bullet.blue logo.large logo.med logo.small At some point I'm going to accidentally come up with an "extension" that maps differently on different systems.
The implementation does not define the format. Exposing CGI/PHP/ASP is marketing, nothing more.
It is a convience thing. Say one person controls the server configuration and another the content. Since the server will need to do processing on .asp, .php, .cgi those names are used to flag that. I prefer not to do that myself, but I wouldn't forbid it.
http://www.foobar.com/movie.mpg is a direct handle to an mpeg movie. http://www.foobar.com/foobar.exe is a direct handle to an executable.
http://www.example.com/search.shtml?name=fun&type=*.mpg What type is that? http://www.example.com/cgi-bin/clear.gif?webbug=IDNUMBERHERE What type is that? http://xml.example.com/xmlfeed/ What type is that?
Suppose for a moment we keep the URLs the same, but swap file content and MIME header (i.e. you go to download the movie and instead run the code in foobar.exe). Sure, this is an obvious breach of security, but it's something *more* than that. It's a spoofing attack. The user has as much a legitimate right to consider themselves downloading a batch of video data as they do to believe the content is coming from foobar.com.
So if a user loads http://www.example.com/images/background.jpg and gets HTML (with javascript in it) then that is a spoofing attack? Even if the server states the content is text/html? What if the HTML comes with a file not found message (but a 200 code)?
There's few engineers who will praise the simultaneous genius of URLs, HTTP, and HTML as highly as myself. That they all spawned simultaneously is a feat of synergistic engineering unparalleled in recent memory. But MIME-types are a failure, and a stubborn refusal to admit such benefits nobody.
I cannot agree with you.
Dan Kaminsky DoxPara Research http://www.doxpara.com
I notice your front page has a link to a url: http://www.doxpara.com/index_old.php Which the server declares to be "Content-Type: text/html". Benjamin
Current thread:
- RE: GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer], (continued)
- RE: GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer] Jason Coombs (Sep 03)
- Re: GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer] Gerhard den Hollander (Sep 03)
- RE: GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer] Dom De Vitto (Sep 03)
- Re: GIFs Good, Flash Executable Bad [Was: Plain text files in internet explorer] Blue Boar (Sep 03)
- Re: Plain text files in internet explorer Bernie Cosell (Sep 02)
- Re: Plain text files in internet explorer Eric Rostetter (Sep 03)
- RE: Plain text files in internet explorer Chris Sandy (Sep 01)
- Re: Plain text files in internet explorer Magnus Bodin (Sep 01)
- Re: Plain text files in internet explorer byron (Sep 02)
- Re: Plain text files in internet explorer Bill Weiss (Sep 02)
- Re: Plain text files in internet explorer Benjamin Elijah Griffin (Sep 03)
- Re: Plain text files in internet explorer Pierre-Yves Bonnetain (Sep 06)
- RE: Plain text files in internet explorer Dom De Vitto (Sep 07)
- Re: Plain text files in internet explorer Pierre-Yves Bonnetain (Sep 06)