Restrict downloadable MIME types [Updated in Security Center 1.3 and 2.0]

  • Release version: Yokohama
  • Updated February 12, 2025
  • 1 minute to read

    • The glide.ui.attachment.download_mime_types property will force the specified list of dangerous file types to be downloaded to the client and not viewed inline in the browser.

    If the property glide.ui.attachment.force_download_all_mime_types is set to true, then the glide.ui.attachment.download_mime_types property will be overridden so that all MIME types will be downloaded rather than rendered by the browser. For example, downloading text/html forces an HTML file to be downloaded to the client as a file rather than viewed inline in the browser, preventing a XSS attack. XSS can lead to easily attained privilege escalation to higher roles such as admin where more lateral movement can be taken.

    New remediation: Ensure the property glide.ui.attachment.force_download_all_mime_types is set to true. If the property does not exist in the sys_properties table, the default value is false.

    Note:
    The security_admin role is required to edit the property.

    More information

    Attribute Description
    Property name glide.ui.attachment.download_mime_types
    Configuration type System Properties (/sys_properties_list.do)
    Category Validation, sanitization, and encoding
    Purpose Maintaining the list properly of dangerous file types that cannot be viewed in the browser will prevent cross site scripting attacks (XSS).
    Recommended value List of applicable MIME types or the recommended value: text/html,image/svg,image/svg+xml,application/xml
    Default value List of applicable MIME types for the default value: text/html,image/svg,image/svg+xml,application/xml
    Configuration type String: any comma separated values of application mime types.
    Functional impact This remediation enforces performance of validation checks before performing an action when you click an attachment in a ServiceNow AI Platform application. There is no potential impact, but the user experience is altered.
    Security risk (Moderate) Attackers can abuse MIME types and place unintended script content in the attachment on the victim's side to capture sensitive information. The ability to have XSS can lead to easily attained privilege escalation to higher roles, such as admin, where more lateral movement can be taken.

    In the current context, populate the property with a list of comma-separated attachment MIME types that should not render inline in the browser.
    Security risk rating 6.4
    Related properties
    • glide.ui.attachment.force_download_all_mime_types
    • glide.ui.attachment.tables_ignore_force_download
    References Define restricted downloadable MIME types [Updated in Security Center 1.3, 1.5, and 2.0].