On Tue, 2005-01-11 at 23:49 -0800, Brion Vibber wrote:
In Windows XP SP2, IE now has an option to turn off some of this autodetection, though I'm not sure it fixes all such holes. The unsafe behavior is on by default.
Brion,
in my test only 5.0 exhibits this bug, 5.5 and 6.0 both offer to save the file (both on Win2K). For them the behaviour with php is unchanged. There are likely more interesting exploits with 5.0 anyway, possibly requiring more effort from the attacker.
The workaround is to require that a 'raw' access be made from a canonical script URL, which will have a nice boring .php or .phtml extension and doesn't trigger the IE type autodetection bug. I did this with a redirect (instead of simply a 403 rejection) to preserve existing links.
Unfortunately this breaks wikis where edit/diff etc urls are supposed to be short and tidy. There the browser gets stuck in an endless redirection loop. It's not too hard to fix this though, will change it in the next days.