[GSA2002-01] Web browsers ignore the Content-Type header, thus allowing cross-site scripting

From: pre (pre@geekgang.co.uk)
Date: 02/12/02 

Date: Tue, 12 Feb 2002 10:27:16 +0000
From: pre <pre@geekgang.co.uk>
To: bugtraq@securityfocus.com

              geekgang Security Advisory [gsa2002-01]

                        [www.geekgang.co.uk]
                      © Copyright 2002 geekgang

ID: geekgang GSA2002-01 01 v1.1
Topic: Web browsers ignore the Content-Type header,
                thus allowing cross-site scripting
Status: Released 20020211
Author: pre
Ack: ol

[Abstract]
The Content-Type header of an HTTP object defines its MIME type,
which in turn defines how the object should be handled. A
number of web browsers ignore this header, resulting in the
object being mis-handled. This can lead to cross-site scripting
vulnerabilities in some web based applications.

[Description]
A number of header fields are defined for HTTP that give
meta-information about the object being supplied. One such header,
the Content-Type, defines the MIME type of the object, which in
turn specifies how the object should be handled by web browsers.

Failure to honour the MIME type of an object can lead to a number
of security related problems, such as cross-site scripting.

Microsoft Internet Explorer (versions 5.x and 6 tested with all
availble security bundles and related bug fixes) and under
some configurations Opera web browsers fail to honour the text/plain
MIME type and will interpret the object as text/html. This in turn
results in any embedded scripts within the object being executed.

One implication of this is that web applications that explicitly
use a text/plain MIME type in order to protect their users
from client-side scripting are being denied that protection by
their users using vulnerable web browsers.

A number of WebMail and Bulletin Board systems are likely to be
susceptible to this issue.

Netscape and Mozilla browsers do not have this problem.

[Notes]
1. Microsoft Security Bulletin MS01-058 addresses a
vulnerability in the handling of MIME types in Internet Explorer.
That bulletin addressess a separate issues, and the subsequent
patch does not fix the problem described above.

2. Microsoft released a security fix bundle for IE on 11th
February 2002 (MS02-005) that "eliminates all previously discussed
security vulnerabilities". This security problem is not
addressed in that bundle.

3. Similar issues regarding IE handling of MIME types have
previously been discussed in:
  http://www.securityfocus.com/bid/3116
  Microsoft Technet Article Q258452

[Workaround]
Internet Explorer - disable scripting.

Opera - select "File->Preferences->Applications->File types" and
then check the "Determine action by MIME type" option.

[Example]
A request for an object such as:
    http://www.nondomain.net/mtest.php

that would then return a document such as:

    HTTP/1.1 200 OK
    Date: Mon, 04 Feb 2002 14:13:00 GMT
    Server: Apache/1.3.22 (Unix)
    Content-Type: text/plain

    <h1>broken browser test script</h1>
    <p>
    <script>alert("I could steal your cookie!!")</script>

results in the embedded Java Script being executed by the web
browser, even though it has a text/plain MIME type.

[Time-line]
20020204 Draft v0.1
20020204 Sent to Microsoft (secure@microsoft.com)
20020204 Filed a bug report with Opera
20020211 Release Version 1.0
20020212 Update with new Notes. Verion 1.1

[Disclaimer]
THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE,
BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO
ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER
ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR
RELIANCE PLACED UPON THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY
MAY BE REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Relevant Pages

  • [NEWS] Web Browsers Ignore Content-Type Headers Allowing Cross-site Scripting
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... defines the MIME type of the object, which in turn specifies how the ... object should be handled by web browsers. ... security related problems, such as cross-site scripting. ...
    (Securiteam)
  • Re: Salaries for Lisp engineers
    ... because that extension indicates to most Web browsers that ... Standards-compliant Web browsers distinguish files on the basis of the ... MIME type with which they are served -- not the filename. ...
    (comp.lang.lisp)
  • Re: Writing a file in Response
    ... So no attachment header was necessary and the addition of an Accept-Ranges header was required. ... to the request for one reason - to force IE to make the request. ... I made a web service that dishes out a ".torrent" file of the correct MIME type in the same way that I am serving my own file. ... I think at the moment it is recognising the file via extension, and not by MIME type, I can also back this up by removing MIME information from the registry and it still works. ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Plain text files in internet explorer
    ... extention to MIME type mapping. ... filename extention in a URL. ... It's a JPEG. ... I have no idea what this has to do with security; ...
    (Vuln-Dev)
  • Re: OT: Gone from topic, now on security Re: For PGP Users-Likes and Dislikes of PGP
    ... quantity) in IE, Outlook, Outlook Express, Word, Excel, PowerPoint, ... be significantly worse (from a security point of view). ... Actually there are various design decisions that rely on IE only being ... where the MIME type in the MIME header, in the MIME section header and ...
    (sci.crypt)