Vulnerability Development: Re: Plain text files in internet explorer

[Dan Kaminsky <dan () doxpara com>]

> A tutorial site teaching basic HTML, which presents code snippets as
> text/plain to allow the student to read the markup, but would save to
> the hard disk as .html.
>
> What is .rpm? Is it a RPM Package Manager file, or a Realaudio Plugin?
> Both exist.
>  
Great example.  Look how elegantly web servers handle that *specific* 
little cluster.
I'm serious; we have an extension <-> filetype LUT in the web server, 
the one component that cares least about the content, and it's breaking 
at precisely this point.  Extensions are file types.  Period.
> What about .cgi that looks like HTML but declares itself to be
> text/plain?
Photoshop makes a JPEG.  It's a JPEG.
Imagemagick makes a JPEG.  It's a JPEG.
Some crazy hacker with a hex editor makes a JPEG.  It's a JPEG.

The implementation does not define the format.  Exposing CGI/PHP/ASP is 
marketing, nothing more.  We actually shouldn't be seeing foo.cgi...but 
if we are, I'll accept MIME type being used as a *hack* to expose the 
type of *backend* data.
> Perhaps the author of a image archive site intends his .gif/.jpg/.bmp
> files to be downloaded straight, not rendered, so uses
> application/octet-stream.
So at the layer of the web server, he's going to subvert the GIF mapping 
into octet stream?  

Do consider how ridiculous this sounds.

> That's a huge (and IMHO backward) paradigm shift. The Uniform Resource
> Locator is just that, a "handle" on some content. It does not specify
> the type of data, nor its size, age, TTL, language, caching
> characteristics etc. All of these belong out-of-band, so to speak, in
> the protocol headers.
>  
You are correct about everything but type.  In that case, empirical 
psychology and security theory trump your directionless abstract eighty 
three ways from sunday.
http://www.foobar.com/movie.mpg is a direct handle to an mpeg movie.
http://www.foobar.com/foobar.exe is a direct handle to an executable.

Suppose for a moment we keep the URLs the same, but swap file content 
and MIME header (i.e. you go to download the movie and instead run the 
code in foobar.exe).  Sure, this is an obvious breach of security, but 
it's something *more* than that.  It's a spoofing attack.  The user has 
as much a legitimate right to consider themselves downloading a batch of 
video data as they do to believe the content is coming from foobar.com.
Just as the web would be better off with most sites bothering to 
authenticate their content -- perhaps with HTTPS, perhaps with XML 
signatures -- because it would bring trust to the meaning extracted from 
the URL, so too the web would be better off with an enforced consistency 
between the data type presented to the user and the data type parsed.
There's few engineers who will praise the simultaneous genius of URLs, 
HTTP, and HTML as highly as myself.  That they all spawned 
simultaneously is a feat of synergistic engineering unparalleled in 
recent memory.  But MIME-types are a failure, and a stubborn refusal to 
admit such benefits nobody.
Yours Truly,

   Dan Kaminsky
   DoxPara Research
   http://www.doxpara.com