CESA-2007-004 - rev 1

[See all my vulnerabilities at http://scary.beasts.org/security]

Internet Explorer PNG misdesign

Programs affected: Internet Explorer
Advisory release date: Oct 2nd 2007
Severity: Unexpected XSS attack vector

It seems that this is actually by design, and even documented, but it certainly surprised me. In fact, I'd use the phrase "egregiously unexpected". So it's worth a little note.

It is well known that Internet Explorer has weak (from a security point of view) content-type detection. It is very keen to see HTML in non-HTML content types. The best known example is looking for HTML in the first 256 characters of a plain text response (this misfeature is known as content type sniffing).

But did you know that you can get script execution via a perfectly well formed PNG image, served with the correct MIME type? The trick is just to put script in a PNG uncompressed comment chunk within the first 256 characters of the PNG.

Here is a sample PNG.

CESA-2007-004 - rev 1
Chris Evans