The Horizon Connection Server must prevent MIME type sniffing.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246915	HRZV-7X-000034	SV-246915r768705_rule		Medium

Description
MIME types define how a given type of file is intended to be processed by the browser. Modern browsers are capable of determining the content type of a file by byte headers and content inspection and can then override the type dictated by the server. An example would be a ".js" that was sent as the "jpg" mime type vs the JavaScript mime type. The browser would "correct" this and process the file as JavaScript. The danger is that a given file could be disguised as something else on the server, like JavaScript, opening up the door to cross-site scripting. To disable browser "sniffing" of content type, the Connection Server sends the "x-content-type-options: nosniff" header by default. This configuration must be validated and maintained over time.

Description

MIME types define how a given type of file is intended to be processed by the browser. Modern browsers are capable of determining the content type of a file by byte headers and content inspection and can then override the type dictated by the server. An example would be a ".js" that was sent as the "jpg" mime type vs the JavaScript mime type. The browser would "correct" this and process the file as JavaScript. The danger is that a given file could be disguised as something else on the server, like JavaScript, opening up the door to cross-site scripting. To disable browser "sniffing" of content type, the Connection Server sends the "x-content-type-options: nosniff" header by default. This configuration must be validated and maintained over time.

STIG	Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide	2021-07-30

Details

Check Text ( C-50347r768703_chk )
On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is NOT a finding. Open "locked.properties" in a text editor. Find the "x-content-type-options" setting. If there is no "x-content-type-options" setting, this is NOT a finding. If "x-content-type-options" is set to "false", this is a finding.

Check Text ( C-50347r768703_chk )

On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\sslgateway\conf".

If a file named "locked.properties" does not exist in this path, this is NOT a finding.

Open "locked.properties" in a text editor. Find the "x-content-type-options" setting.

If there is no "x-content-type-options" setting, this is NOT a finding.

If "x-content-type-options" is set to "false", this is a finding.

Fix Text (F-50301r768704_fix)
On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\sslgateway\conf". Open "locked.properties" in a text editor. Remove the following line: x-content-type-options=false Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.