persistent xss vulnerability through uploaded files in IE8/9

2012-08-08T03:47:49
ID ATLASSIAN:CONFSERVER-46953
Type atlassian
Reporter dblack
Modified 2017-04-02T09:04:17

Description

{panel:bgColor=#e7f4fa} NOTE: This bug report is for Confluence Server. Using Confluence Cloud? [See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-46953]. {panel}

It is possible to upload a number of file types (checked by extension) to an answers instance and then download them later. Internet Explorer(8/9) sniffs text/plain (and some other content-types) downloads to determine the 'content-type' to use. This means that a text/plain content-type file in internet explorer can be rendered as text/html (as html). To solve this problem it is possible to: 1. set the content-disposition header to be "attachment" 2. and/or set the X-Content-Type-Options header to be "nosniff"