#47359 [Asn->Csd]: XSS: incorrect mime type for bmp in getimagesize/image_type_to_mime_type()

Mon, 16 Mar 2009 20:30:10 -0700 

 ID:               47359
 Updated by:       scott...@php.net
 Reported By:      hsudhof at gmail dot com
-Status:           Assigned
+Status:           Closed
 Bug Type:         GetImageSize related
 Operating System: *
 PHP Version:      5.2.9RC1
 Assigned To:      scottmac
 New Comment:

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Will be in 5.3+


Previous Comments:
------------------------------------------------------------------------

[2009-02-11 12:44:20] scott...@php.net

This looks like a bug in the IE mime type sniffing rather than a
specific XSS.

If I make the mime type image/bm or image/bmps or image/ms-bmp or any
of the half dozen that are listed they work correctly.

There is no official IANA mime type for bmp listed on the page so I'll
investigate this some more.

------------------------------------------------------------------------

[2009-02-11 11:53:26] hsudhof at gmail dot com

Description:
------------
For BMP images, image.c contains the mime type "image/bmp".
That mime type does not exist; the proper mime for bmp images is
"image/x-ms-bmp".


http://www.iana.org/assignments/media-types/image/

This is a problem, as this opens a XSS vulnerability for users with IE
< 8.


The reproduction code shows XSS, when the page is viewed with IE
versions earlier than IE8 Beta2.

Reproduce code:
---------------
<?php
$image =
'Qk1eAAAAAAAAAD4AAAAoAAAABwAAAAgAAAABAAEAAAAAACAAAAB0EgAAdDxzY3JpcHQ+YWxlcnQoJ1hTUyBkdWUgdG8gd3JvbmcgaGVhZGVyJyk7PC9zY3JpcHQ+AA==';
$file = base64_decode($image);
file_put_contents('test.bmp', $file);
$image_data = getimagesize('test.bmp');
header("Content-type: {$image_data['mime']}");
// echo "Expected: 'image/x-ms-bmp' ; actual :
'{$image_data['mime']}'";
header('Content-disposition: inline; filename="test.bmp"');
readfile('test.bmp');
// unlink('test.bmp');



Expected result:
----------------
Header: "image/x-ms-bmp"

Actual result:
--------------
Header : "image/bmp"; that causes a javascript popup when visiting with
IE6 and IE7.


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=47359&edit=1

Reply via email to