| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060411131502.18914.qmail@web53215.mail.yahoo.com> Date: Tue Apr 11 14:15:08 2006 From: stevenrakick at yahoo.com (Steven Rakick) Subject: Microsoft Internet Explorer Content-Disposition HTML File Handling Flaw I don't see how this is a security issue... -- Original Message -- Date: Mon, 10 Apr 2006 10:22:43 -0400 From: "Darren Bounds" <dbounds@...il.com> Subject: [Full-disclosure] Microsoft Internet Explorer Content-Disposition HTML File Handling Flaw To: full-disclosure@...ts.grok.org.uk, webappsec@...urityfocus.com Message-ID: <26563eca0604100722p4f9878dfjc91a646ed31b80a8@...l.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Microsoft Internet Explorer Content-Disposition HTML File Handling Flaw April 10, 2006 Content-Disposition (defined in RFC 2183) is often used by web application developers as a mechanism to instruct the web browser on how it should handle a file download. This is commonly used to help prevent access to the application scope when handling file attachments and mitigates the ability to leverage client-side attacks, such as XSS, through file downloads. While Internet Explorer does handle downloading most file types correctly with Content-Disposition, it mishandles HTML files and instead opens them inline, exposing the application scope. As such, it is strongly advisable that web-based software vendors use alternative methods to mitigate this class of attack. A simple PoC is available at the following URL: http://xs.vc/content-disposition/ Feel free to compare the results of Firefox and IE. Vulnerable Versions: All versions up to and including Internet Explorer 7 Beta 2. References: http://www.faqs.org/rfcs/rfc2183.html http://support.microsoft.com/kb/182315/ http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/moniker/overview/mime_handling.asp I felt it was necessary to make this flaw public now because while the weakness results from IEs flawed support of RFC 2183, the exposure is with the 3rd party applications which support it. Due to the simplicity of exploitation, it is not unlikely this is being used in the wild. Thank you, Darren Bounds __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Powered by blists - more mailing lists