You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2010-32
Mozilla Foundation Security Advisory 2010-32
Title: Content-Disposition: attachment ignored if Content-Type: multipart also present
Impact: Moderate
Announced: June 22, 2010
Reporter: Ilja van Sprundel
Products: Firefox, SeaMonkey
Fixed in: Firefox 3.6.4
Firefox 3.5.10
SeaMonkey 2.0.5
Description
Security researcher Ilja van Sprundel of IOActive
reported that the Content-Disposition: attachment
HTTP
header was ignored when Content-Type: multipart
was also
present. This issue could potentially lead to XSS problems in sites
that allow users to upload arbitrary files and specify a Content-Type
but rely on Content-Disposition: attachment
to prevent
the content from being displayed inline.