Please be advised my testing occured on Windows XP SP2 and Windows 2003 SP1, both with the latest versions of IE 6 and IE 7 Beta 2.
I'm hearing from various people that some versions of IE on Windows 2000 do not appear to be affected. There may be others as well. On 4/10/06, Darren Bounds <[EMAIL PROTECTED]> wrote: > Microsoft Internet Explorer Content-Disposition HTML File Handling Flaw > April 10, 2006 > > Content-Disposition (defined in RFC 2183) is often used by web > application developers as a mechanism to instruct the web browser on > how it should handle a file download. This is commonly used to help > prevent access to the application scope when handling file attachments > and mitigates the ability to leverage client-side attacks, such as > XSS, through file downloads. > > While Internet Explorer does handle downloading most file types > correctly with Content-Disposition, it mishandles HTML files and > instead opens them inline, exposing the application scope. As such, it > is strongly advisable that web-based software vendors use alternative > methods to mitigate this class of attack. > > A simple PoC is available at the following URL: > http://xs.vc/content-disposition/ > Feel free to compare the results of Firefox and IE. > > Vulnerable Versions: > All versions up to and including Internet Explorer 7 Beta 2. > > References: > http://www.faqs.org/rfcs/rfc2183.html > http://support.microsoft.com/kb/182315/ > http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/moniker/overview/mime_handling.asp > > I felt it was necessary to make this flaw public now because while the > weakness results from IEs flawed support of RFC 2183, the exposure is > with the 3rd party applications which support it. > > Due to the simplicity of exploitation, it is not unlikely this is > being used in the wild. > > > Thank you, > > Darren Bounds > -- Thank you, Darren Bounds _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
