4

Imagine a server that serves untrusted user-provided files and allows other users to download them. Under some circumstances server can be tricked to return responses to download file requests without Content-Disposition header (i.e. files are shown in browser's window inlined)

However, other measures of security hygiene are still in place:

  • Files are served at another domain than the main site's content
  • Correct Content-Type and X-Content-Type-Options:nosniff exist

What are security risks of returning responses without Content-Disposition header?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Andrei Botalov
  • 5,267
  • 10
  • 45
  • 73

1 Answers1

2

Depends what filetypes are allowed to be uploaded and how the files are being handled.

  • If the page is directly loaded, the file ends in .php and the webserver recognizes and executes PHP files, then you risk having the entire domain compromised.
  • A smaller issue is that an html file may be a phishing page, sending any results to a server controlled by the attacker (cross-domain posting via javascript may not be possible, but you can make any cross-domain request through (visible or invisible) forms). The domain and perhaps even HTTPS certificate clearly shows that it is on your domain or a subdomain (unless you use a completely different domain), and thus the user might think that the page is trustworthy.
  • And perhaps other things that don't come to mind right now.
Luc
  • 31,973
  • 8
  • 71
  • 135