The hazards of MIME sniffing

Webmasters probably know one particularly “helpful” feature of Internet Explorer — if you happen to misconfigure your web server and it sends HTML files designated as text files, Internet Explorer will silently correct this mistake and display the files anyway. Of course, if you wanted to display HTML as text (because you want to show the source code, or because it really is a text file with HTML snippets in it) it still will be displayed as HTML. And if you, as a user of a non-IE browser, ever came across a misconfigured server that displays HTML/images/Flash as plain text — now you know why nobody bothered fixing the mistake. This feature is called “MIME sniffing” and many articles have been written about it, so I don’t need to repeat them.

However, there is a less known side of MIME sniffing. Have a look at this image. Doesn’t look dangerous, right? Now try to open it in Internet Explorer. What happened? As it comes out, MIME sniffing in Internet Explorer isn’t limited to text files. If it finds anything resembling HTML code in images it will interpret the image as an HTML page. In this case a comment in the image contains a SCRIPT tag, and Internet Explorer promptly executes the script. This opens an XSS vulnerability in any site that allows users to upload images (many forums do).

How can you protect yourself? As a user you can go into security settings for the Internet Zone and switch off the “Open files based on content, not extension” option. This option has been added in IE6 SP2, yet even in Internet Explorer 7 it is still not switched off by default — so Microsoft is well aware of the problem but security of the users doesn’t seem to be important enough.

As to web developers, I know three solutions. The easiest is adding a Content-Disposition: attachment header to the output which will make all browsers download the file instead of opening it (the hole in Google Docs & Spreadsheets was fixed in this way). Unfortunately, with Internet Explorer images with this header don’t work in web pages, so you will need another solution unless you are really only offering files for download. AMO fixed this hole by recoding all uploaded images which strips out any HTML code they might contain. Finally, you can simply make sure that the first 256 bytes of the file don’t look like HTML (can usually be done for text files). Here you can either remove dangerous strings or add something at the beginning just to make IE happy.

More on this topic:

And speaking of Internet Explorer “features”, the critical vulnerability in Internet Explorer that effectively makes same-origin policy useless still hasn’t been fixed. That one has been known for a year now and still counting. The book XSS Exploits: Cross-Site Scripting Attacks and Defense already calls it “perhaps one of the most dangerous browser bugs ever found”.

Comments

  • Neglacio

    Another proof Internet Explorer IS BAD :D
    Viva Firefox!

  • dArkPL

    http://digg.com/programming/The_hazards_of_mime_sniffing
    Digg it!

  • Anon

    Paste the following into a text editor and then save as .reg then double click to apply.

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\MIME_SNIFFING\DISABLE]
    “CheckedValue”=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\MIME_SNIFFING\ENABLE]
    “CheckedValue”=dword:00000000

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
    “2100”=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
    “2100”=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
    “2100”=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    “2100”=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
    “2100”=dword:00000001

    This should disable all internet zones from the sniffing behaviour.

    Note: this could break stuff that I am not aware of and I do not accept any responsability for any consequences. Use at your own risk! Also probably only works in Win2000/XP.

    Wladimir Palant

    Very “clever”. You should try to read the article, I wrote about this settings that can be changed from the user interface by the way. I also linked to the documentation and said that the option has been added with Internet Explorer 6 SP 2.

  • Anon

    Hmm. The above didn’t work on another machine I tried it on so I would advise not using. Please delete the post and this one if possible and sorry for the inconvenience.

  • Anon

    “Very “clever”. You should try to read the article, I wrote about this settings that can be changed from the user interface by the way. I also linked to the documentation and said that the option has been added with Internet Explorer 6 SP 2.”

    Sorry, it wasn’t really clever because I found it didn’t work. I just wanted something to automate the process to be able to apply it over several machines instead of having to do it manually. Anyway, sorry again, I do read your articles and find them very interesting and informative.

    (Same person posted comments 3 and 4)

  • Jesse Weinstein

    OT — you might find this part of a recent interview with MozCo management interesting:
    http://apcmag.com/6043/why_theres_no_inbuilt_adblocker_in_firefox_yet_mozilla_ceo

    “Dan Warne (APC): So speaking of add-ons I’m sure a lot of people are curious to know why you guys haven’t built an ad blocker into Firefox?

    Mitchell Baker: I don’t know I would have to ask actually!”

    Wladimir Palant

    Thanks, this is interesting. Unfortunately Mitchell is not a programmer so she only states the most obvious reason. In fact, there is no way that Adblock Plus with its entire complex user interface would be integrated into Firefox.

  • Jesse Weinstein

    Glad you found the article interesting. It’s slightly misleading, since Firefox does come with a basic ad-blocker; it’s just not as simple or well-designed as Adblock Plus. It doesn’t seem like ABP has a particularly complex interface (as compared with, say, the Firefox “Privacy” preferences tab). Could you go into a bit more detail about what seems too complex?

    Wladimir Palant

    The built-in content blocker has a trivial user interface: “Block images from …” context menu item that can be checked or unchecked. The rest of the user interface is well-hidden in the Firefox preferences, most users will never see it (and neither do they need to see it). That’s how it should be.

    The Adblock Plus user interface on the other hand is much more complicated. Selecting “Adblock image” from the context menu will not have immediate effect, instead you are required to make a filter out of the image’s address – lots and lots of possible failure points there. Subscriptions are a very significant improvement, theoretically they make a “switch on and forget about it” user interface possible. Complicating factor being that “one subscription to rule them all” is unlikely to be a successful concept, meaning that at least parts of the current user interface have to stay somewhere where they can be found by advanced users yet don’t confuse newbies.

    Giving users a choice between a larger number of subscriptions (something that Adblock Plus is currently doing) is not a viable solution in the long term – most users are absolutely clueless about which subscription suits them best.

  • h

    Totally Off-topic as well, but I think the right path would be to make Firefox like a Linux distro, so Mozilla provides only the basic building blocks, and distributes a bundle of selected thrid-party addons that meet quality and usefulness criteria, but which can be replaced by users if they want.

    The current practice of putting dumbed-down versions of famous extensions right into Firefox, and not making them optional is very annoying. Phishing protection, session restore etc case in point

    Wladimir Palant

    Mozilla already provides the basic building blocks, they are called XULRunner. While Firefox doesn’t run on top of XULRunner yet, this should change by Firefox 3.0. And everybody is allowed to bring out his own modified version of Firefox (see Flock and Netscape). Yet Firefox should be always the same thing, regardless of where you download it from – users need to trust the brand, they should know that this is still the same quality software coming from Mozilla. Not to mention that several Firefox “distributions” would be a support nightmare.

    As to “dumbed-down versions of famous extensions” – the requirements on features in Firefox are very different from requirements on extensions. As I wrote in the reply to the comment above, even if Adblock Plus ever gets incorporated in Firefox, I don’t expect its user interface to “survive” the process. Extensions are installed by a conscious decision, Firefox features on the other hand come pre-installed and should require an absolute minimum of configuration if any at all – they have to just work. Phishing protection does it nicely and I don’t see why anybody would have a problem with it, even the power-users who will likely not need it. Session restore should not nag you either unless you crash (and it is far more reliable than any of the session restore extensions around), so that’s a nice feature as well.

  • anon

    No alerts saying “Oops”, came on my (ex-)IE, when i opened the image.

    Wladimir Palant

    Then how do you know it should be there? :)

    Anyway, maybe you disabled MIME sniffing. Or you have JavaScript disabled entirely. Or something else. The point is that this happens with the default configuration – and almost everybody is using the default configuration.

  • anon

    Save image -> open in notepad.
    That is the first thing I did as I started reading.

  • Lassar

    A lot of what you said makes sense.

    There is one thing , I wish Firefox would do mime sniffing on.

    That is when it is suppose to download something; check the
    extension and see if the extension looks like it could be
    a html page. If so then do mime sniffing and display the page if it is a html page.

    I seen too many “download html pages”(with a php extension) get downloaded instead of being displayed.

    Remember , we do not live in a perfect world.

    Wladimir Palant

    Yes, it isn’t a perfect world – but being forgivable on server misconfigurations won’t make the world better, it will rather make the mistake go unnoticed longer. In my experience this particular mistake is rare enough, so that hacking around it isn’t really necessary.

  • bladerunnerxx

    I love firefox and IMO every website should have to be configured to support both IE and FF, I hate needing to use a website that only supports IE, it is very inferior to FF and has alot of issues such as freezing/locking up and having to be restarted, if not locking up the entire pc forcing user reboot. These are the top 2 browsers in the world, any web page should be available to both of them.