Web Browsers Ignore Content-Type Headers Allowing Cross-site Scripting
15 Feb. 2002
The Content-Type header of an HTTP object defines its MIME type, which in turn defines how the object should be handled. A number of web browsers ignore this header, resulting in the object being mis-handled. This can lead to cross-site scripting vulnerabilities in some web-based applications.
Opera Web Browser
A number of header fields are defined for HTTP that give meta-information about the object being supplied. One such header, the Content-Type, defines the MIME type of the object, which in turn specifies how the object should be handled by web browsers.
Failure to honor the MIME type of an object can lead to a number of security related problems, such as cross-site scripting.
Microsoft Internet Explorer (versions 5.x and 6 tested with all available security bundles and related bug fixes) and under some configurations Opera web browsers fail to honor the text/plain MIME type and will interpret the object as text/html. This in turn results in any embedded scripts within the object being executed.
One implication of this is that web applications that explicitly use a text/plain MIME type in order to protect their users from client-side scripting are being denied that protection by their users using vulnerable web browsers.
A number of WebMail and Bulletin Board systems are likely to be susceptible to this issue.
Netscape and Mozilla browsers do not have this problem.
1. Microsoft Security Bulletin MS01-058 addresses a vulnerability in the handling of MIME types in Internet Explorer. That bulletin addresses separate issues, and the subsequent patch does not fix the problem described above.
2. Microsoft released a security fix bundle for IE on 11 February 2002 (MS02-005) that "eliminates all previously discussed security vulnerabilities". This security problem is not addressed in that bundle.
3. Similar issues regarding IE handling of MIME types have previously been discussed in: Microsoft TechNet Article Q258452
* Internet Explorer - disable scripting.
* Opera - select "File->Preferences->Applications->File types" and then check the "Determine action by MIME type" option.
A request for an object such as:
That would then return a document such as:
HTTP/1.1 200 OK
Date: Mon, 04 Feb 2002 14:13:00 GMT
Server: Apache/1.3.22 (Unix)
<h1>broken browser test script</h1>
<script>alert("I could steal your cookie!!")</script>
Results in the embedded Java Script being executed by the web browser, even though it has a text/plain MIME type.
Advisory Sent to Microsoft (firstname.lastname@example.org). A bug report was filed with Opera.