Mahara

Use "nosniff" header to prevent potential XSS via untrusted files in IE

Bug #1470281 reported by Aaron Wells
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Low
Unassigned
Mahara 15.10.0
1.10
Fix Released
Low
Unassigned
Mahara 1.10.5
1.9
Fix Released
Low
Unassigned
Mahara 1.9.7
15.04
Fix Released
Low
Unassigned
Mahara 15.04.2
15.10
Fix Released
Low
Unassigned
Mahara 15.10.0

Bug Description

Yuliya posted this one directly into Gerrit: https://reviews.mahara.org/#/c/4821/

Use nosniff header to prevent potential XSS via untrusted files in IE

See
 - https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
 - https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Solution is to add it to file serving code in places where we do forced download of files.

Revision history for this message
Aaron Wells (u-aaronw) wrote :

Patch for master: https://reviews.mahara.org/#/c/4821/

Revision history for this message
Aaron Wells (u-aaronw) wrote :

So the idea here is that when Mahara serves a file attachment, we add a response header to it that says "X-Content-Type-Options: nosniff". When IE or Chrome sees this response header, it will *not* attempt to detect the file's type by examining the file or filename. Instead, it will trust the mimetype header that Mahara tells it.

The security idea here is, to quote OWASP, "This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files."

Revision history for this message
Aaron Wells (u-aaronw) wrote :

Actually I think this blog entry provides the best example: http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx

"For example, consider the following HTTP-response:

    HTTP/1.1 200 OK
    Content-Length: 108
    Date: Thu, 26 Jun 2008 22:06:28 GMT
    Content-Type: text/plain;
    X-Content-Type-Options: nosniff

    <html>
    <body bgcolor="#AA0000">
    This page renders as HTML source code (text) in IE8.
    </body>
    </html>

In IE7, the text is interpreted as HTML:

IE7 text interpreted as HTML

In IE8, the page is rendered in plaintext:

IE8 text rendered as plain text

Sites hosting untrusted content can use the nosniff directive to ensure that text/plain files are not sniffed to anything else."

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/4821
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/96b117e5e37cc4a9f630902c51f1dfeaa45f8a9a
Submitter: Aaron Wells (<email address hidden>)
Branch: master

commit 96b117e5e37cc4a9f630902c51f1dfeaa45f8a9a
Author: Yuliya Bozhko <email address hidden>
Date: Thu Jun 4 08:24:53 2015 +0100

Use nosniff header to prevent potential XSS via untrusted files in IE

Bug 1470281

See
https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Solution is to add it to file serving code in places where we do forced
download of files.

Change-Id: Ic46d02f65d9ed1cb57fb50e8fab2cbc9f62428a1
Signed-off-by: Yuliya Bozhko <email address hidden>
Signed-off-by: Aaron Wells <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "15.04_STABLE" branch: https://reviews.mahara.org/4948

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "1.10_STABLE" branch: https://reviews.mahara.org/4949

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/4950

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/4950
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/7b9b434ba2b6232d0a69379f9baea5f4b09e2672
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.9_STABLE

commit 7b9b434ba2b6232d0a69379f9baea5f4b09e2672
Author: Yuliya Bozhko <email address hidden>
Date: Thu Jun 4 08:24:53 2015 +0100

Use nosniff header to prevent potential XSS via untrusted files in IE

Bug 1470281

See
https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Solution is to add it to file serving code in places where we do forced
download of files.

Change-Id: Ic46d02f65d9ed1cb57fb50e8fab2cbc9f62428a1
Signed-off-by: Yuliya Bozhko <email address hidden>
Signed-off-by: Aaron Wells <email address hidden>
(cherry picked from commit 96b117e5e37cc4a9f630902c51f1dfeaa45f8a9a)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4949
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/b380dfc7c9b98864b6d837da7838eb96ddf441f5
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.10_STABLE

commit b380dfc7c9b98864b6d837da7838eb96ddf441f5
Author: Yuliya Bozhko <email address hidden>
Date: Thu Jun 4 08:24:53 2015 +0100

Use nosniff header to prevent potential XSS via untrusted files in IE

Bug 1470281

See
https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Solution is to add it to file serving code in places where we do forced
download of files.

Change-Id: Ic46d02f65d9ed1cb57fb50e8fab2cbc9f62428a1
Signed-off-by: Yuliya Bozhko <email address hidden>
Signed-off-by: Aaron Wells <email address hidden>
(cherry picked from commit 96b117e5e37cc4a9f630902c51f1dfeaa45f8a9a)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4948
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/890b2bf5ca7ebaca37a6b4474b73215eb4635ed2
Submitter: Aaron Wells (<email address hidden>)
Branch: 15.04_STABLE

commit 890b2bf5ca7ebaca37a6b4474b73215eb4635ed2
Author: Yuliya Bozhko <email address hidden>
Date: Thu Jun 4 08:24:53 2015 +0100

Use nosniff header to prevent potential XSS via untrusted files in IE

Bug 1470281

See
https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Solution is to add it to file serving code in places where we do forced
download of files.

Change-Id: Ic46d02f65d9ed1cb57fb50e8fab2cbc9f62428a1
Signed-off-by: Yuliya Bozhko <email address hidden>
Signed-off-by: Aaron Wells <email address hidden>
(cherry picked from commit 96b117e5e37cc4a9f630902c51f1dfeaa45f8a9a)

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.