exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

IE-Content-Disposition.txt

IE-Content-Disposition.txt
Posted Apr 14, 2006
Authored by Darren Bounds | Site xs.vc

Microsoft Internet Explorer Content-Disposition HTML File Handling Flaw

tags | advisory
SHA-256 | 574a829b559c4c5a3baadc376478a5b2bd98146b0176aa0b1c002faa78f2dace

IE-Content-Disposition.txt

Change Mirror Download
Microsoft Internet Explorer Content-Disposition HTML File Handling Flaw
April 10, 2006

Content-Disposition (defined in RFC 2183) is often used by web
application developers as a mechanism to instruct the web browser on
how it should handle a file download. This is commonly used to help
prevent access to the application scope when handling file attachments
and mitigates the ability to leverage client-side attacks, such as
XSS, through file downloads.

While Internet Explorer does handle downloading most file types
correctly with Content-Disposition, it mishandles HTML files and
instead opens them inline, exposing the application scope. As such, it
is strongly advisable that web-based software vendors use alternative
methods to mitigate this class of attack.

A simple PoC is available at the following URL:
http://xs.vc/content-disposition/
Feel free to compare the results of Firefox and IE.

Vulnerable Versions:
All versions up to and including Internet Explorer 7 Beta 2.

References:
http://www.faqs.org/rfcs/rfc2183.html
http://support.microsoft.com/kb/182315/
http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/moniker/overview/mime_handling.asp

I felt it was necessary to make this flaw public now because while the
weakness results from IEs flawed support of RFC 2183, the exposure is
with the 3rd party applications which support it.

Due to the simplicity of exploitation, it is not unlikely this is
being used in the wild.


Thank you,

Darren Bounds

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close