InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Running Scripts sent as text/plain

https://forums.informaction.com/viewtopic.php?t=4119

Page 1 of 1

Running Scripts sent as text/plain

Posted: Sun Mar 21, 2010 7:40 pm
by dhouwn
While browsers won't apply stylesheets sent as text/plain (except in quirks mode) they will run scripts sent with this MIME type, would many sites break if they wouldn't?

How about adding the prevention of executing external scripts delivered with the wrong MIME type as an experimental feature to NoScript?

Re: Running Scripts sent as text/plain

Posted: Sun Mar 21, 2010 9:03 pm
by Giorgio Maone
http://noscript.net/changelog#1.9.6.5 :)

Re: Running Scripts sent as text/plain

Posted: Sun Mar 21, 2010 9:13 pm
by therube
Happened to have Error Console opened & it mentioned:

Code: Select all

Error: The stylesheet http://ibid4216487243.plumd.dnsstuff.com/style.css was not loaded because its MIME type, "text/html", is not "text/css".
Source File: http://www.dnsstuff.com/tools/whois/?ip=
Line: 0
So suppose something like what you suggest is not unheard of.

Re: Running Scripts sent as text/plain

Posted: Sun Mar 21, 2010 9:16 pm
by therube
Guess it works then ;-).

Re: Running Scripts sent as text/plain

Posted: Mon Mar 22, 2010 1:39 am
by dhouwn
Hm… interesting, I had something like this in memory, but then this test passed with no mention in the error console.
therube wrote:So suppose something like what you suggest is not unheard of.
That's a stylesheet…

Re: Running Scripts sent as text/plain

Posted: Mon Mar 22, 2010 9:52 am
by Giorgio Maone
dhouwn wrote:Hm… interesting, I had something like this in memory, but then this test passed with no mention in the error console.
Because of the overwhelming false positives which have been found during early test of this feature, NoScript's inclusion type checking has been carefully tuned to cover a limited but very important scenario: the case of a whitelisted CMS-like site which allows uploading of "safe" file types (e.g. zip archives or text documents). This can be exploited, for instance, by an attacker which manages to compromise another whitelisted site injecting a script or stylesheet inclusion which references a "fake" zip from the CMS actually being a Javascript payload, and gets executed because the hosting site is whitelisted.

Therefore the checks are performed only for cross-site inclusion where origin's base domain differs from requested file's, and by default server-side scripts (e.g. ASP or PHP URls) are not checked.

You can see this in action here.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited