CAPEC-209: Cross-Site Scripting Using MIME Type Mismatch
Cross-Site Scripting Using MIME Type Mismatch
Definition in a New
Attack Pattern ID: 209
The victim must follow a crafted link that references a scripting file that is mis-typed as a non-executable file.
The victim's browser must detect the true type of a mis-labeled scripting file and invoke the appropriate script interpreter without first performing filtering on the content.
The attacker must have the ability to source the file of the incorrect MIME type containing a script.
Outlook Express 6.00 allows remote attackers to execute arbitrary script by embedding SCRIPT tags in a message whose MIME content type is text/plain, contrary to the expected behavior that text/plain messages will not run script.