[Mimedefang] Unintended consequences
Jan-Pieter Cornet
johnpc at xs4all.nl
Wed Dec 27 19:29:07 EST 2006
On Wed, Dec 27, 2006 at 03:12:55PM -0500, David F. Skoll wrote:
> I've heard rumours that if Windows cannot determine what to do with a
> file based on the MIME type or file name, it actually looks at the
> "magic values" in the file to determine the file type. If this is the
> case (I have no way of knowing), then the only safe workaround is (1).
It is true. See:
http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp
This was the cause of a recently discovered cross site scripting bug
in a LOT of webmail applications (including gmail), when using IE.
I'm not aware if this same bug can be hit by common windows MUAs
like outlook express, but it would frankly astonish me if there
isn't a windows MUA out there that isn't susceptible to this.
Or in simple terms: it doesn't make any difference what mime type
you specify, if windows thinks it is HTML, it will be rendered
as HTML.
(workarounds: firefox, and/or Ubuntu (insert your favorite linux distro)).
--
Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs. !!
More information about the MIMEDefang
mailing list