Follow this link with IE: dictionary2.txt
dictionary2.txt is a simple txt file which contains the following text:
Account Number <script>alert(1)</script>
IE will execute the JavaScript. I have tested this with IE 7 but haven't tried the previous IE versions.
I am sure this has been already known but what is really worrying me is the IE reaction after accessing a txt with html content from different browser security zones.
For instance, if the same file is opened locally, a warning notification is returned to the user. If the txt files is accessed through the internet security zone, no notification is returned to the user (that's scary).
Why the MIME mishandling is possible?
According to MSDN, IE handles MIME in the following way:
"Internet Explorer first consults the Content-Type and Content-Disposition headers for the MIME type from the HTTP server, if they exist. Next, Internet Explorer consults the registry entry for that MIME type under HKEY_CLASSES_ROOT\MIME\Database\Content Type and looks at the Extension key for the correct file extension. Internet Explorer then ensures that the file has that extension, before placing it in the local browser cache". [...]
So, I went to check the above Windows Register key values and in fact the CSLID used for HTML mime type is the same one used for TXT mime type. What a strange coincidence!
So, pay attention before opening any text files with IE from the internet!
-
permalink -