Internet Explorer Content-Disposition HTML File Handling Flaw
Content-Disposition (defined in RFC 2183) is often used by web application developers as a mechanism to instruct the web browser on how it should handle a file download. This is commonly used to help prevent access to the application scope when handling file attachments
and mitigates the ability to leverage client-side attacks, such as XSS, through file downloads.
While Internet Explorer does handle downloading most file types correctly with Content-Disposition, it mishandles HTML files and instead opens them inline, exposing the application scope. As such, it is strongly advisable that web-based software vendors use alternative methods to mitigate this class of attack.
Vulnerable Versions:
All versions up to and including Internet Explorer 7 Beta 2.
More in http://www.zone-h.org/advisories/read/id=8903