logo
DATABASE RESOURCES PRICING ABOUT US

Mozilla Foundation Security Advisory 2010-32

Description

Mozilla Foundation Security Advisory 2010-32 Title: Content-Disposition: attachment ignored if Content-Type: multipart also present Impact: Moderate Announced: June 22, 2010 Reporter: Ilja van Sprundel Products: Firefox, SeaMonkey Fixed in: Firefox 3.6.4 Firefox 3.5.10 SeaMonkey 2.0.5 Description Security researcher Ilja van Sprundel of IOActive reported that the Content-Disposition: attachment HTTP header was ignored when Content-Type: multipart was also present. This issue could potentially lead to XSS problems in sites that allow users to upload arbitrary files and specify a Content-Type but rely on Content-Disposition: attachment to prevent the content from being displayed inline. References * https://bugzilla.mozilla.org/show_bug.cgi?id=537120 * CVE-2010-1197


Related