If you allow users of your website to upload data (e.g. images), and you display this data to other users, you need to open the file on the server to examine it and check that it really is what it should be (e.g. an image).
Most website software will need to examine the image anyway, to extract thumbnails, determine width/height, etc. In which case, this security comes for free. But I’ve seen software which doesn’t have any such needs, and thus server-side examination is not done.
The reason is:
- The web server may serve this file with the extension in the URL and the Content-Type: image/jpeg, however…
- Internet Explorer may under some circumstances ignore these two pieces of information, instead preferring to look at the bytes of the file, and work out what type of content the file contains
- Through having e.g. <img> tags (not affected by single-source policy) the file can send e.g. GET requests to an external site and transport this cookie and form information.
- Thus the attacker’s external site now has cookie/form information, and the attacker can use this to impersonate the user at the site.