Issues that might arise due to having content disposition: inline on images

Avatar

Avatar

Prem_IB

Avatar

Prem_IB

Prem_IB

17-02-2021

I am trying to display images (png, jpeg, gif, svg) directly on browser instead of letting the users downloading it. I've read from so many places that having content disposition header as inline might cause some security issues, and it is better to have it as attachment. Can anyone provide me a scenario where this might be a problem?

AEM 6.5 security check

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar

Sanket_Kumbharkhane

Avatar

Sanket_Kumbharkhane

Sanket_Kumbharkhane

17-02-2021

Hi @Prem_IB ,

 

yes, the OSGi config "org.apache.sling.security.impl.ContentDispositionFilter" provides the way to disable it but it could lead to security issues and that's why it is enabled by default in the product.

 

Here are a few security issues can cause: 

 

1. SVG images are vulnerable to XSS  attacks

https://research.securitum.com/do-you-allow-to-load-svg-files-you-have-xss/

 

2. if a user with access (or attacker) was to upload an HTML or JS file into the DAM which could execute first party in the domain, they could circumvent JS browser protections like ORIGIN headers.

 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/apache-sling-content-dispo...

 

3. Also, check XSS Attack 4: Capture the keystrokes by injecting a keylogger

https://pentest-tools.com/blog/xss-attacks-practical-scenarios/

 

So, explore all the options in the above OSGI config like "Content Disposition Paths" & "Excluded Resource Paths" before disabling it for all files.

 

Hope it will help you.

 

Thanks

Answers (0)