View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000287XMB1Bugspublic2009-03-01 09:502010-01-23 18:18
Reportermiqrogroove Assigned Tomiqrogroove  
PriorityhighSeveritycrashReproducibilityalways
Status closedResolutionfixed 
Product Version1.9.8 SP2 
Target Version1.9.11.03Fixed in Version1.9.11.03 
Summary0000287: Opera treats application/octet-stream as text/html
DescriptionThis is a little bit scary in terms of XSS vulnerability. I'm not even sure at this point if it can be fixed by XMB.
Steps To ReproduceOpen Opera and hit a *.php file attachment such as...
http://forums.xmbforum.com/files.php?pid=1357206&aid=19497
Additional Informationhttp://code.google.com/p/browsersec/wiki/Part2#Survey_of_content_sniffing_behaviors

http://forums.xmbforum.com/viewthread.php?tid=762089&goto=search&pid=1280493
TagsNo tags attached.
MySQL Version
PHP Version
Web Server
BrowserOpera
FlagsCritical Patch
Original Reporter
SVN Revision1764

Activities

2009-03-01 12:10

 

issue287.patch (593 bytes)    
Index: files.php
===================================================================
--- files.php	(revision 1755)
+++ files.php	(working copy)
@@ -185,11 +185,11 @@
 $db->query("UPDATE ".X_PREFIX."attachments SET downloads=downloads+1 WHERE aid=$aid");
 
 // Set response headers
-$type = strtolower($file['filetype']);
-$type = ($type == 'text/html') ? 'text/plain' : $type;
 if ($file['img_size'] == '') {
+    $type = 'application/binary';
     $dispositionType = 'attachment';
 } else {
+    $type = strtolower($file['filetype']);
     $dispositionType = 'inline';
 }
issue287.patch (593 bytes)   

miqrogroove

2009-03-01 12:38

administrator   ~0000163

This needs to be tested separately on version 1.9.10 because of the different attachment systems.

2009-03-01 13:29

 

issue287-1_9_10.patch (494 bytes)    
Index: viewthread.php
===================================================================
--- viewthread.php	(revision 1756)
+++ viewthread.php	(working copy)
@@ -691,9 +691,8 @@
         error($lang['filecorrupt']);
     }
 
-    $type = strtolower($file['filetype']);
     $size = (int) $file['filesize'];
-    $type = ($type == 'text/html') ? 'text/plain' : $type;
+    $type = 'application/binary';
 
     header("Content-type: $type");
     header("Content-length: $size");
issue287-1_9_10.patch (494 bytes)   

miqrogroove

2009-03-01 19:08

administrator   ~0000165

Patches already attached. We have fixes that need to be released for the upgrader as well, so there's no need to hide this issue. This affects the Opera web browser only.

Issue History

Date Modified Username Field Change
2009-03-01 09:50 miqrogroove New Issue
2009-03-01 09:50 miqrogroove Browser => Opera
2009-03-01 12:10 miqrogroove File Added: issue287.patch
2009-03-01 12:13 miqrogroove Status new => confirmed
2009-03-01 12:13 miqrogroove Projection none => tweak
2009-03-01 12:13 miqrogroove Product Version 1.9.11 => 1.9.8 SP2
2009-03-01 12:13 miqrogroove Additional Information Updated
2009-03-01 12:20 miqrogroove Target Version => 1.9.11.03
2009-03-01 12:38 miqrogroove Note Added: 0000163
2009-03-01 13:29 miqrogroove File Added: issue287-1_9_10.patch
2009-03-01 18:03 miqrogroove Additional Information Updated
2009-03-01 19:08 miqrogroove Note Added: 0000165
2009-03-01 19:08 miqrogroove Assigned To => miqrogroove
2009-03-01 19:08 miqrogroove Status confirmed => assigned
2009-03-01 19:08 miqrogroove ETA none => < 1 day
2009-03-01 19:08 miqrogroove View Status private => public
2009-03-01 19:08 miqrogroove Steps to Reproduce Updated
2009-03-01 19:37 miqrogroove Flags => Critical Patch
2009-03-01 19:37 miqrogroove SVN Revision => 1764
2009-03-01 19:37 miqrogroove Status assigned => resolved
2009-03-01 19:37 miqrogroove Fixed in Version => 1.9.11.03
2009-03-01 19:37 miqrogroove Resolution open => fixed
2010-01-23 18:18 miqrogroove Status resolved => closed