W3C home > Mailing lists > Public > www-tag@w3.org > June 2003

Re: Security issue in Media-type override?

From: L. David Baron <dbaron@dbaron.org>
Date: Mon, 23 Jun 2003 18:41:17 -0400
To: www-tag@w3.org
Message-ID: <20030623224117.GA2722@pool-151-197-215-60.phil.east.verizon.net>

On Monday 2003-06-23 12:58 -0700, Tim Bray wrote:
> We're working on the contentEoverride-24 finding, and it has been 
> suggested that there are security implications in the case where a web 
> agent decides to ignore the media-type the server sent and decide to 
> handle the incoming data in some other fashion based on, for example, 
> peeking inside the data and guessing what it is.
> 
> Whereas this is easy to believe, we'd like to see a specific scenario or 
> two showing how nefarious action or erroneous practice could lead to a 
> security breach.

Consider a site behind a firewall that serves externally-supplied
content (e.g., what was filled out on a feedback form, or incoming email
to some general address) as text/plain.  If implementations don't sniff,
then one could assume that serving such content as text/plain eliminates
the possibility of script being used to steal content from behind the
firewall.  However, if implementations sniff such content for being
HTML-ish, treat it as text/html, and execute scripts contained in the
content, content behind the firewall could be stolen.  (This gets around
cross-site scripting restrictions by planting the content inside the
site whose security is breached.  This requires some cooperation by the
site itself, but doing something that could be expected to be safe.)

-David

-- 
L. David Baron                                <URL: http://dbaron.org/ >
Received on Monday, 23 June 2003 18:42:59 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:32:38 UTC