Home arrow News & Blog arrow Is that your web site I smell?
Is that your web site I smell?

Implemented in Internet Explorer 4 as a technique to improve the end user experience1, ‘MIME sniffing’ or MIME type detection helps the browser determine file formats on the web such as text, HTML, and audio/video2. However, when IE detects a conflict while MIME sniffing (i.e. it encounters an image that is really a script) potential vulnerabilities arise:

[An] image that seems harmless at first glance may actually be dangerous if it begins with some HTML code, because Internet Explorer will then execute that code. This gives an attacker an opportunity to embed JavaScript in images and exploit the attack vector to execute cross-site scripting [(XSS)] attacks. [source]

 If your web site contains this type of “cloaked” file, then malicious code can be triggered when someone views your site. With the expansion of so much user-generated content these days, and the slow adoption of IE8 (which is not vulnerable to this exploit), the MIME sniffing feature has actually become a serious liability as users have increasing access to placing files (and images in particular) on web servers. 

For those of us who run and maintain Joomla web sites, the only real point of vulnerability in the core Joomla extensions is the upload feature in Media Manager. Of particular concern are the many Joomla-powered sites that allow registered users to submit content. When submitting an article, users can access the upload feature in Joomla by clicking the ‘Image’ button below the editor and thus potentially upload malicious file types as described above.

Very few Joomla web sites stick with just the core extensions. In fact, the vast array of extensions for Joomla is one of the main benefits of the Joomla platform (Full disclosure: the author is a curator on the Joomla Extensions Directory team at Joomla.org). Many of these extensions take advantage of the Joomla API and when user input is needed, the same content editor used in the Joomla core is used in these extensions. For example, JCal Pro uses the Joomla content editor when users submit new events.

Thus, there are numerous Joomla web sites that allow user input via a core extension or a third party extension that may be vulnerable to a XSS attack due to MIME sniffing in IE4 through IE7.

Fortunately, there are a number of practical, common sense ways to protect your Joomla site from the MIME sniffing vulnerability depending on the goals and workflow on your site:

  1. Upgrade your Joomla web site to version 1.5.11 - In this version of Joomla, access to the upload feature is by default restricted to users in or above the ‘Author’ usergroup. This is a critical first step, but if your site relies on users submitting content and uploading files, you must manually change this setting back to ‘Registered’ (see screenshot below). Note that Joomla 1.5.11 does change the upload feature itself to be more secure from MIME sniffing, it simply adds fine-grained access control to the upload feature .
  2. Block access to the upload feature - If your registered users need to submit content but do not need to upload images, simply disable the ‘Editor button - Image‘ plugin in the backend Joomla plugin manager. Users will be able to submit content, but will be limited to using the images already present on the site, or to images uploaded via 3rd party extensions. If you would like ‘Authors’ and higher usergroups to still be able to upload images, you could also leave the plugin published, but change it’s access level to ‘Special’.
  3. Pre-screen content providers - While Joomla manages user registration very efficiently, there is no way moderate new users beyond requiring a valid e-mail address. Try a third-party extension to moderate new users/content providers so that only trusted individuals have the ability to submit content.
  4. Promote trusted content providers - If you’d like to keep the default Joomla settings for uploading as ‘Author’, consider promoting only trusted ‘Registered users’ to the ‘Author’ usergroup. In this situation, you’ll also want to change the permissions for any “Submit Article” links to ‘Special’.
  5. Be sure that the permissions for submitting content in any third-party extensions match those set for the upload feature and/or the ‘Editor button - Image’ plugin. Using JCal Pro as an example, if you allow only ‘Authors‘ to upload images, be sure that you either restrict the ‘Editor button - Image’ plugin to the ‘Special’ usergroup, or restrict the submission of new JCal Pro events to ‘Authors’.

1In the early days of the internet (and even today on poorly configured web servers) it was not uncommon for the file format to be incorrectly identified by the browser. To reduce these errors and thus improve the user experience, Microsoft implemented ‘MIME sniffing’ (or MIME type detection) in Internet Explorer 4. MIME sniffing helps IE determine the file format of content that has been downloaded by comparing the file extension, file signature and the MIME type. When these 3 parameters match, things proceed as expected and the files are routed/rendered as appropriate. However, if there is a conflict between these parameters, IE renders the file according to the MIME type and this is where potential vulnerabilities arise. For example, what appears to be an image could be executed as an HTML file.

2Content on the internet is classified by the Internet media or MIME type, a standard to describe file formats on the Internet. When a file is served to a web browser, the browsers examine things like the file extension, file signature or MIME type to determine the appropriate action. For example, if a ZIP file is served, the browser may prompt the user to save the file. If an image is served, the browser will display the image. The following list represents some common MIME types all web developers and many web users will recognize:

  • application/zip: ZIP archive files
  • audio/mpeg: MP3 or other MPEG audio
  • image/jpeg: JPEG JFIF image
  • text/html: HTML

Comments (0)

Subscribe to this comment's feed

Write comment

smaller | bigger

busy
Last Updated ( Thursday, 18 June 2009 )