An attacker creates a file with scripting content but where the specified
MIME type of the file is such that scripting is not expected. Some browsers
will detect that the specified MIME type of the file does not match the
actual type of the content and will automatically switch to using an
interpreter for the real content type. If the browser does not invoke script
filters before doing this, the attacker's script may run on the target
unsanitized. For example, the MIME type text/plain may be used where the
scripting instructions, the stated MIME type would indicate that filtering
is unnecessary. However, if the target application subsequently determines
the file's real type and invokes the appropriate interpreter, scripted
content could be invoked. In another example, img tags in HTML content could
reference a renderable type file instead of an expected image file. The file
extension and MIME type can describe an image file, but the file content can
browser assumes all references in img tags are images, and therefore do not
need to be filtered for scripts, this would bypass content filters. In a
cross-site scripting attack, the attacker tricks the victim into accessing a
URL that uploads a script file with an incorrectly specified MIME type. If
the victim's browser switches to the appropriate interpreter without
filtering, the attack will execute as a standard XSS attack, possibly
revealing the victim's cookies or executing arbitrary script in their
The victim must follow a crafted link that references a scripting file
that is mis-typed as a non-executable file.
The victim's browser must detect the true type of a mis-labeled scripting
file and invoke the appropriate script interpreter without first performing
filtering on the content.
The attacker must have the ability to source the file of the incorrect MIME
type containing a script.
Reliance on File Name or Extension of Externally-Supplied File
Outlook Express 6.00 allows remote attackers to execute arbitrary
script by embedding SCRIPT tags in a message whose MIME content type is
text/plain, contrary to the expected behavior that text/plain messages
will not run script.