Anti-MIME-Sniffing header X-Content-Type-Options header has not been set.

Disclosed: 2015-04-28 05:06:57 By uname To security

Unknown

Vulnerability Details

Hi, The following host "profile-photos-user-content.hackerone.com" does not set the x-content-type-options header to nosniff. If a malicious user is able to upload an image with script content (Possible within the comments metadata) Internet Explorer (up till IE8) might render the content as Javascript and execute malicious code. The problem is more severe since the photos are uploaded to a subdomain of hackerone.com. Cheers,

Actions

View on HackerOne

Report Stats

Report ID: 9479
State: Closed
Substate: resolved
Upvotes: 8

Anti-MIME-Sniffing header X-Content-Type-Options header has not been set.

Vulnerability Details

Actions

Report Stats

Share this report