Webmasters probably know one particularly “helpful” feature of Internet Explorer — if you happen to misconfigure your web server and it sends HTML files designated as text files, Internet Explorer will silently correct this mistake and display the files anyway. Of course, if you wanted to display HTML as text (because you want to show the source code, or because it really is a text file with HTML snippets in it) it still will be displayed as HTML. And if you, as a user of a non-IE browser, ever came across a misconfigured server that displays HTML/images/Flash as plain text — now you know why nobody bothered fixing the mistake. This feature is called “MIME sniffing” and many articles have been written about it, so I don’t need to repeat them.
However, there is a less known side of MIME sniffing. Have a look at this image. Doesn’t look dangerous, right? Now try to open it in Internet Explorer. What happened? As it comes out, MIME sniffing in Internet Explorer isn’t limited to text files. If it finds anything resembling HTML code in images it will interpret the image as an HTML page. In this case a comment in the image contains a SCRIPT tag, and Internet Explorer promptly executes the script. This opens an XSS vulnerability in any site that allows users to upload images (many forums do).
How can you protect yourself? As a user you can go into security settings for the Internet Zone and switch off the “Open files based on content, not extension” option. This option has been added in IE6 SP2, yet even in Internet Explorer 7 it is still not switched off by default — so Microsoft is well aware of the problem but security of the users doesn’t seem to be important enough.
As to web developers, I know three solutions. The easiest is adding a
Content-Disposition: attachment header to the output which will make all browsers download the file instead of opening it (the hole in Google Docs & Spreadsheets was fixed in this way). Unfortunately, with Internet Explorer images with this header don’t work in web pages, so you will need another solution unless you are really only offering files for download. AMO fixed this hole by recoding all uploaded images which strips out any HTML code they might contain. Finally, you can simply make sure that the first 256 bytes of the file don’t look like HTML (can usually be done for text files). Here you can either remove dangerous strings or add something at the beginning just to make IE happy.
- Wiki developer complains about spammers exploiting this vulnerability
- christ1an dissects the algorithm used for sniffing HTML [German]
And speaking of Internet Explorer “features”, the critical vulnerability in Internet Explorer that effectively makes same-origin policy useless still hasn’t been fixed. That one has been known for a year now and still counting. The book XSS Exploits: Cross-Site Scripting Attacks and Defense already calls it “perhaps one of the most dangerous browser bugs ever found”.