[GSA2002-01] Web browsers ignore the Content-Type header, thus allowing cross-site scripting

[pre <pre () geekgang co uk>]

              geekgang Security Advisory [gsa2002-01]

                        [www.geekgang.co.uk]
                      © Copyright 2002 geekgang

ID:             geekgang GSA2002-01 01 v1.1
Topic:          Web browsers ignore the Content-Type header,
                thus allowing cross-site scripting
Status:         Released 20020211
Author:         pre
Ack:            ol

[Abstract]
The Content-Type header of an HTTP object defines its MIME type,
which in turn defines how the object should be handled. A
number of web browsers ignore this header, resulting in the
object being mis-handled. This can lead to cross-site scripting
vulnerabilities in some web based applications.

[Description]
A number of header fields are defined for HTTP that give
meta-information about the object being supplied. One such header,
the Content-Type, defines the MIME type of the object, which in
turn specifies how the object should be handled by web browsers.

Failure to honour the MIME type of an object can lead to a number
of security related problems, such as cross-site scripting.

Microsoft Internet Explorer (versions 5.x and 6 tested with all
availble security bundles and related bug fixes) and under
some configurations Opera web browsers fail to honour the text/plain
MIME type and will interpret the object as text/html. This in turn
results in any embedded scripts within the object being executed.

One implication of this is that web applications that explicitly
use a text/plain MIME type in order to protect their users
from client-side scripting are being denied that protection by
their users using vulnerable web browsers.

A number of WebMail and Bulletin Board systems are likely to be
susceptible to this issue.

Netscape and Mozilla browsers do not have this problem.

[Notes]
1. Microsoft Security Bulletin MS01-058 addresses a
vulnerability in the handling of MIME types in Internet Explorer.
That bulletin addressess a separate issues, and the subsequent
patch does not fix the problem described above.

2. Microsoft released a security fix bundle for IE on 11th
February 2002 (MS02-005) that "eliminates all previously discussed
security vulnerabilities". This security problem is not
addressed in that bundle.

3. Similar issues regarding IE handling of MIME types have
previously been discussed in:
  http://www.securityfocus.com/bid/3116
  Microsoft Technet Article Q258452

[Workaround]
Internet Explorer - disable scripting.

Opera - select "File->Preferences->Applications->File types" and
then check the "Determine action by MIME type" option.

[Example]
A request for an object such as:
    http://www.nondomain.net/mtest.php

that would then return a document such as:

    HTTP/1.1 200 OK
    Date: Mon, 04 Feb 2002 14:13:00 GMT
    Server: Apache/1.3.22 (Unix)
    Content-Type: text/plain


    <h1>broken browser test script</h1>
    <p>
    <script>alert("I could steal your cookie!!")</script>

results in the embedded Java Script being executed by the web
browser, even though it has a text/plain MIME type.

[Time-line]
20020204 Draft v0.1
20020204 Sent to Microsoft (secure () microsoft com)
20020204 Filed a bug report with Opera
20020211 Release Version 1.0
20020212 Update with new Notes. Verion 1.1

[Disclaimer]
THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE,
BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO
ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER
ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR
RELIANCE PLACED UPON THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY
MAY BE REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.