Don't Sniff the MIME
Both browsers and popular web servers include so-called MIME-sniffing functionality. This is an underestimated security risk and a vector for Cross Site Scripting vulnerabilities. When web applications allow file uploads and the web server cannot reliably determine the file type it will often try to guess it based on its content. If the server won't do it then the browser will. In both cases this content is attacker controlled and if it contains HTML code it will be rendered within the origin of the attacked web application and allow the execution of Javascript code. The interaction of web servers, browsers, standards and web applications create problems where it's often unclear who's responsible for a vulnerability and who should fix it. Existing standards almost inevitably lead to vulnerabilities in common web application scenarios. Existing security measures like "X-Content-Type-Options: nosniff" are incomplete and don't provide the expected protection. The talk will explain the general problem and three practical vulnerabilities in the content management systems Wordpress and Joomla and in the mailinglist software Mailman. The latter affects almost every Mailman installation with publicly accessible web archives. Further vulnerable components include Edge, Firefox, the Apache web server and Caddy.
Presented at Security Fest 2019.
Speaker: Hanno BöckAbout Hanno Böck
Hanno Böck is a hacker and freelance journalist. He is a regular writer for the German online IT magazine Golem.de and writes the monthly Bulletproof TLS Newsletter. He discovered the ROBOT attack against TLS implementations, which was awarded with a Pwnie award in 2018. He has spoken previously at conferences like Def Con, Black hat and CCC.
