joola.io: X-Content-Type-Options header missing

2014-05-20T12:23:48
ID H1:12613
Type hackerone
Reporter jayvardhansingh
Modified 2014-07-08T10:00:33

Description

Hello Team

The doesn't have a header settings for X-Content-Type Options which means it is vulnerable to MIME sniffing. The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that by clever naming could be treated by MSIE as executable or dynamic HTML files.