V5 - Validation/Sanitization
Rosetta Flash
POC
The web application allows uploading an image file. Viewing the uploaded image is served through an Servlet that accepts encoding/language parameter. The attacker uploads a malicious flash file as an Image: "flashsniff.png" The attacker forge a malicious web page with the following payload
The hosting server will respond with the following headers: HTTP/1.1 200 OK .... X-Content-Type-Options: nosniff .... Content-Length: 733 Content-Type: image/png; charset=utf-8; lang=application/x-shockwave-flash
In this case Flash will execute malicious file types as flash applications even when X-Content-Type-Options: nosniff is on.
Impact
High
Likelihood
High