php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #47359 XSS: incorrect mime type for bmp in getimagesize/image_type_to_mime_type()
Submitted: 2009-02-11 11:53 UTC Modified: 2009-03-17 03:29 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: hsudhof at gmail dot com Assigned: scottmac (profile)
Status: Closed Package: GetImageSize related
PHP Version: 5.2.9RC1 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: hsudhof at gmail dot com
New email:
PHP Version: OS:

 

 [2009-02-11 11:53 UTC] hsudhof at gmail dot com 
Description:
------------
For BMP images, image.c contains the mime type "image/bmp".
That mime type does not exist; the proper mime for bmp images is "image/x-ms-bmp".


http://www.iana.org/assignments/media-types/image/

This is a problem, as this opens a XSS vulnerability for users with IE < 8.


The reproduction code shows XSS, when the page is viewed with IE versions earlier than IE8 Beta2.

Reproduce code:
---------------
<?php
$image = 'Qk1eAAAAAAAAAD4AAAAoAAAABwAAAAgAAAABAAEAAAAAACAAAAB0EgAAdDxzY3JpcHQ+YWxlcnQoJ1hTUyBkdWUgdG8gd3JvbmcgaGVhZGVyJyk7PC9zY3JpcHQ+AA==';
$file = base64_decode($image);
file_put_contents('test.bmp', $file);
$image_data = getimagesize('test.bmp');
header("Content-type: {$image_data['mime']}");
// echo "Expected: 'image/x-ms-bmp' ; actual : '{$image_data['mime']}'";
header('Content-disposition: inline; filename="test.bmp"');
readfile('test.bmp');
// unlink('test.bmp');



Expected result:
----------------
Header: "image/x-ms-bmp"

Actual result:
--------------
Header : "image/bmp"; that causes a javascript popup when visiting with IE6 and IE7.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-02-11 12:44 UTC] scottmac@php.net 
This looks like a bug in the IE mime type sniffing rather than a specific XSS.

If I make the mime type image/bm or image/bmps or image/ms-bmp or any of the half dozen that are listed they work correctly.

There is no official IANA mime type for bmp listed on the page so I'll investigate this some more.
 [2009-03-17 03:29 UTC] scottmac@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Will be in 5.3+
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 26 00:01:30 2024 UTC