Page MenuHomePhabricator

Lock MIME type configuration
ClosedPublic

Authored by epriestley on Mar 25 2015, 11:13 AM.
Tags
None
Referenced Files
F14063193: D12154.diff
Mon, Nov 18, 5:11 PM
F14050263: D12154.diff
Thu, Nov 14, 5:33 PM
F14040874: D12154.diff
Mon, Nov 11, 1:53 PM
F14022790: D12154.diff
Wed, Nov 6, 7:45 PM
F14017495: D12154.diff
Mon, Nov 4, 5:56 PM
F13987889: D12154.id.diff
Mon, Oct 21, 12:02 PM
F13980422: D12154.id29216.diff
Oct 19 2024, 10:33 AM
Unknown Object (File)
Oct 13 2024, 8:20 PM
Subscribers

Details

Summary

Ref T6755. This mitigates an attack where you:

  • compromise an administrative account;
  • configure "text/plain" as an "image" MIME type; and
  • create a new macro sourced from a sensitive resource which is locally accessible over HTTP GET, using DNS rebinding.

You can then view the content of the resource in Files. By preventing the compromised account from reconfiguring the MIME types, the server will instead destroy the response and prevent the attacker from seeing it.

In general, these options should change very rarely, and they often sit just beyond the edge of security vulnerabilities anyway.

For example, if you ignore the warnings about an alternate file domain and elect to serve content from the primary domain, it's still somewhat difficult for an attacker to exploit the vulnerability. If they can add "text/html" or "image/svg+xml" as image MIME types, it becomes trivial. In this case not having an alternate domain is the main issue, but easy modification of this config increases risk/exposure.

Test Plan

Viewed affected config and saw that it is locked.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley retitled this revision from to Lock MIME type configuration.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
btrahan edited edge metadata.
This revision is now accepted and ready to land.Mar 25 2015, 4:57 PM
This revision was automatically updated to reflect the committed changes.