s0nIc
February 15th, 2002, 06:22 AM
Microsoft Internet Explorer MIME Type File Extension Spoofing Vulnerability
Microsoft Internet Explorer uses the Content-Type and Content- Disposition HTML header fields to determine the file type of non- HTML files referenced by a website. These two content headers make up the MIME type of the field.
It is possible to insert information into the Content-Type and Content-Disposition fields that would tell Internet Explorer that a file being downloaded is of a different type than it actually is. This would not cause the file to be executed automatically, but could trick a vulnerable user into believing that they are downloading a text file instead of an executable file.
This vulnerablility was originally believed to be the same as the one reported in Bugtraq ID 3597, but was later found to be a different method of achieving the same goal.
Remote: Yes
Exploit: There is no exploit code.
Solution: Microsoft has released a patch to address this issue:
Microsoft Internet Explorer 5.0.1SP2:
Microsoft Patch q316059_IE 5.01
http://download.microsoft.com/download/ie501sp2/secpac25/5.01_sp2/NT5/EN- US/q316059.exe
Microsoft Internet Explorer 5.5SP2:
Microsoft Patch q316059_IE 5.5SP2
http://download.microsoft.com/download/ie55sp2/secpac25/5.5_sp2/WIN98Me/ EN-US/q316059.exe
Microsoft Internet Explorer 5.5SP1:
Microsoft Patch q316059_IE 5.5SP1
http://download.microsoft.com/download/ie55sp1/secpac25/5.5_sp1/WIN98Me/ EN-US/q316059.exe
Microsoft Internet Explorer 6.0:
Microsoft Patch q316059_IE6
http://download.microsoft.com/download/IE60/secpac25/6/W98NT42KMeXP/EN- US/q316059.exe
Microsoft Internet Explorer uses the Content-Type and Content- Disposition HTML header fields to determine the file type of non- HTML files referenced by a website. These two content headers make up the MIME type of the field.
It is possible to insert information into the Content-Type and Content-Disposition fields that would tell Internet Explorer that a file being downloaded is of a different type than it actually is. This would not cause the file to be executed automatically, but could trick a vulnerable user into believing that they are downloading a text file instead of an executable file.
This vulnerablility was originally believed to be the same as the one reported in Bugtraq ID 3597, but was later found to be a different method of achieving the same goal.
Remote: Yes
Exploit: There is no exploit code.
Solution: Microsoft has released a patch to address this issue:
Microsoft Internet Explorer 5.0.1SP2:
Microsoft Patch q316059_IE 5.01
http://download.microsoft.com/download/ie501sp2/secpac25/5.01_sp2/NT5/EN- US/q316059.exe
Microsoft Internet Explorer 5.5SP2:
Microsoft Patch q316059_IE 5.5SP2
http://download.microsoft.com/download/ie55sp2/secpac25/5.5_sp2/WIN98Me/ EN-US/q316059.exe
Microsoft Internet Explorer 5.5SP1:
Microsoft Patch q316059_IE 5.5SP1
http://download.microsoft.com/download/ie55sp1/secpac25/5.5_sp1/WIN98Me/ EN-US/q316059.exe
Microsoft Internet Explorer 6.0:
Microsoft Patch q316059_IE6
http://download.microsoft.com/download/IE60/secpac25/6/W98NT42KMeXP/EN- US/q316059.exe