Mozilla developer Daniel Veditz reported that when
the jar:
scheme is used to wrap a URI which serves the
content with Content-Disposition: attachment
, the HTTP
header is ignored and the content is unpacked and displayed inline. A
site may depend on this HTTP header to prevent potentially untrusted
content that it serves from executing within the context of the site.
An attacker could use this vulnerability to subvert sites using this
mechanism to mitigate content injection attacks.
This vulnerability has not been fixed on the Mozilla 1.8.1 branch, which is used to build Firefox 2 and Thunderbird 2. However, note that there are several mitigating factors which prevent easy exploitation of this issue. In order for a website to be exploitable it must:
application/java-archive
or application/x-jar
Content-Disposition: attachment