Re: NEW ISSUE: content sniffing

On Tue, Mar 31, 2009 at 2:23 PM, Adrien de Croy <> wrote:
> Do servers sniff to try and fill in the Content-Type field?

Yes.  We found this is quite common when we examined open-source Web
applications that accept user uploads.  For example, Wikipedia does

> Most I think have a fairly simplistic static mapping of file extension to Content-Type.

This is how Apache works.

> Many types of content already have a signature in them which can be used to
> determine type. e.g jpegs, gifs etc.

Wikipedia uses this technique.  Mismatches between a site's sniffing
algorithm and the user agent's sniffing algorithm often lead to
exploitable vulnerabilities.  See Section 2.5 of for two
concrete examples of how this happens.


Received on Tuesday, 31 March 2009 21:27:22 UTC