From pre@geekgang.co.uk Thu Feb 14 03:10:36 2002 From: pre To: bugtraq@securityfocus.com Date: Tue, 12 Feb 2002 10:27:16 +0000 Subject: [GSA2002-01] Web browsers ignore the Content-Type header, thus allowing cross-site scripting [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] geekgang Security Advisory [gsa2002-01] [www.geekgang.co.uk] © Copyright 2002 geekgang ID: geekgang GSA2002-01 01 v1.1 Topic: Web browsers ignore the Content-Type header, thus allowing cross-site scripting Status: Released 20020211 Author: pre Ack: ol [Abstract] The Content-Type header of an HTTP object defines its MIME type, which in turn defines how the object should be handled. A number of web browsers ignore this header, resulting in the object being mis-handled. This can lead to cross-site scripting vulnerabilities in some web based applications. [Description] A number of header fields are defined for HTTP that give meta-information about the object being supplied. One such header, the Content-Type, defines the MIME type of the object, which in turn specifies how the object should be handled by web browsers. Failure to honour the MIME type of an object can lead to a number of security related problems, such as cross-site scripting. Microsoft Internet Explorer (versions 5.x and 6 tested with all availble security bundles and related bug fixes) and under some configurations Opera web browsers fail to honour the text/plain MIME type and will interpret the object as text/html. This in turn results in any embedded scripts within the object being executed. One implication of this is that web applications that explicitly use a text/plain MIME type in order to protect their users from client-side scripting are being denied that protection by their users using vulnerable web browsers. A number of WebMail and Bulletin Board systems are likely to be susceptible to this issue. Netscape and Mozilla browsers do not have this problem. [Notes] 1. Microsoft Security Bulletin MS01-058 addresses a vulnerability in the handling of MIME types in Internet Explorer. That bulletin addressess a separate issues, and the subsequent patch does not fix the problem described above. 2. Microsoft released a security fix bundle for IE on 11th February 2002 (MS02-005) that "eliminates all previously discussed security vulnerabilities". This security problem is not addressed in that bundle. 3. Similar issues regarding IE handling of MIME types have previously been discussed in: http://www.securityfocus.com/bid/3116 Microsoft Technet Article Q258452 [Workaround] Internet Explorer - disable scripting. Opera - select "File->Preferences->Applications->File types" and then check the "Determine action by MIME type" option. [Example] A request for an object such as: http://www.nondomain.net/mtest.php that would then return a document such as: HTTP/1.1 200 OK Date: Mon, 04 Feb 2002 14:13:00 GMT Server: Apache/1.3.22 (Unix) Content-Type: text/plain

broken browser test script

results in the embedded Java Script being executed by the web browser, even though it has a text/plain MIME type. [Time-line] 20020204 Draft v0.1 20020204 Sent to Microsoft (secure@microsoft.com) 20020204 Filed a bug report with Opera 20020211 Release Version 1.0 20020212 Update with new Notes. Verion 1.1 [Disclaimer] THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED UPON THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.