Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Microsoft Internet Explorer Content-Disposition HTML File Handling Flaw

Microsoft Internet Explorer Content-Disposition HTML File Handling Flaw

From: Darren Bounds <dbounds_at_gmail.com>
Date: Mon, 10 Apr 2006 10:22:43 -0400

Microsoft Internet Explorer Content-Disposition HTML File Handling Flaw
April 10, 2006

Content-Disposition (defined in RFC 2183) is often used by web
application developers as a mechanism to instruct the web browser on
how it should handle a file download. This is commonly used to help
prevent access to the application scope when handling file attachments
and mitigates the ability to leverage client-side attacks, such as
XSS, through file downloads.

While Internet Explorer does handle downloading most file types
correctly with Content-Disposition, it mishandles HTML files and
instead opens them inline, exposing the application scope. As such, it
is strongly advisable that web-based software vendors use alternative
methods to mitigate this class of attack.

A simple PoC is available at the following URL:
http://xs.vc/content-disposition/
Feel free to compare the results of Firefox and IE.

Vulnerable Versions:
All versions up to and including Internet Explorer 7 Beta 2.

References:
http://www.faqs.org/rfcs/rfc2183.html
http://support.microsoft.com/kb/182315/
http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/moniker/overview/mime_handling.asp

I felt it was necessary to make this flaw public now because while the
weakness results from IEs flawed support of RFC 2183, the exposure is
with the 3rd party applications which support it.

Due to the simplicity of exploitation, it is not unlikely this is
being used in the wild.

Thank you,

Darren Bounds

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
Received on Apr 10 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos