Exploiting IE MIME-sniffer vulnerability in Drupal

IE always loved to create vulnerabilities where they would never be. Not many people know, but there is an old bug in IE MIME-sniffer, which can be easily exploited. The essence of the bug is that when IE renders file, which was sent along with Content-type: text/plain header, it tries to identify its MIME type. So, if file contains HTML code inside, IE will think its text/html and render it. Simple example of exploit in Drupal:
1. There is a Drupal site with enabled Upload module.
2. Attacker uploads *.txt file with HTML code inside. By default Drupal allows *.txt files.
3. Attacker sends a link to that file to victim.
4. Victim opens it in IE and HTML code is rendered.

It's pretty bad that Drupal core, which is tough by default, can be exploited in such a simple manner. I understand that it's not Drupal issue, but Microsoft isn't going to fix it. Instead, they suggest to send X-Content-Type-Options: nosniff HTTP response header. But, it's not possible to do this in Drupal and Drupal Security Team didn't fix it for 2 years and won't do this in future. So, if you are aware of your users' safety, remove .txt from allowed tags. You can do this in Administer -> Site configuration -> File uploads.


Anonymous said...

Note that the only "disallow text file" is a real solution.

The others only work on IE8 and IE7+IE6 are still a large percent of a typical site userbase.

p0deje said...

You are right. As another solution, it's possible to add Content-disposition: attachment header, so browser will open a dialog for saving file, instead of rendering it.

Bilal Khan said...

how to hack drupal
how to hack drupal,drupal exploiter,drupal exploiter,how to hack drupal website,drupal website hacking


Post a Comment