Question: What is the "Content-disposition" header in HTTP response?
Answer: Simply put, it tells your browser what kind of content it is receiving so it can choose how to handle it being displayed,
For example: Content-Disposition: attachment;filename="test.html";filename*=UTF-8''test.html
which means that the server is telling the client: "Yo!, here is that thing you requested, by the way... it is a file"
Now, Back on topic:
iPhone iOS safari will ignore the content disposition header and display the content if it is clicked, to display this in a POC I have created a file called:
test.pleasedonttouchme
And I emailed it to myself, when I opened the attachment in my iPhone's safari, the server told the iPhone that this is a file and not an HTML page but still the safari app opened the file as an html, and here is the picture:
At first I thought this might be a google bug, but no, Google servers send this header in the response:
Content-Disposition: attachment; filename="test.pleasedonttouchme"
which means that the receiving application should handle this content as type of "pleasedonttouchme" but instead is handeling it like it is HTML.
But wait!
There is more...
When googling for similar CVE's I found this:
and in that page you can see this interesting piece of data:
SafariAvailable for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad
Impact: Opening maliciously crafted files on certain websites may lead to a cross-site scripting attack
Description: iOS did not support the 'attachment' value for the HTTP Content-Disposition header. This header is used by many websites to serve files that were uploaded to the site by a third-party, such as attachments in web-based e-mail applications. Any script in files served with this header value would run as if the file had been served inline, with full access to other resources on the origin server. This issue is addressed by loading attachments in an isolated security origin with no access to resources on other sites.
CVE-ID
CVE-2011-3426 : Christian Matthies working with iDefense VCP, Yoshinori Oota from Business Architects Inc working with JP/CERT
Ok, Cool, This is exactly what I am talking about... but wait... i am using iOS 5.1.1 and this is relating to iOS 5... wait... what???
I have verified this on all iOS versions from 4.2.1 and up to 5.1.1 (Not iOS 6 beta yet)
The end.