Hello. I've wanted to raise an issue that actually isn't within Drupal itself. There is an XSS vulnerability that IE MIME-sniffer creates, which can be easily exploited in Drupal with Upload module enabled. Drupal Security Team won't release a fix, because it's out of Drupal control. More information on vulnerability and fix can be found here

Here is an extract from my blog:

IE always loved to create vulnerabilities where they would never be. Not many people know, but there is an old bug in IE MIME-sniffer, which can be easily exploited. The essence of the bug is that when IE renders file, which was sent along with Content-type: text/plain header, it tries to identify its MIME type. So, if file contains HTML code inside, IE will think its text/html and render it. Simple example of exploit in Drupal:
1. There is a Drupal site with enabled Upload module.
2. Attacker uploads *.txt file with HTML code inside. By default Drupal allows *.txt files.
3. Attacker sends a link to that file to victim.
4. Victim opens it in IE and HTML code is rendered.

It's pretty bad that Drupal core, which is tough by default, can be exploited in such a simple manner. I understand that it's not Drupal issue, but Microsoft isn't going to fix it. Instead, they suggest to send X-Content-Type-Options: nosniff HTTP response header. But, it's not possible to do this in Drupal and Drupal Security Team didn't fix it for 2 years and won't do this in future. So, if you are aware of your users' safety, remove .txt from allowed tags. You can do this in Administer -> Site configuration -> File uploads.

Comments

p0deje’s picture

So, solutions are the following:
1) Remove txt from allowed filetype. The best solution, but make you didn't add any extension like it
2) Add 'X-Content-Type-Options: nosniff' header. Bad solution, because work only in IE8.
3) Add 'Content-disposition: attachment' header. Good solution. It will show dialog for file download instead of rendering it