From: hsudhof at gmail dot com Operating system: Irrelevant PHP version: 5.2.9RC1 PHP Bug Type: GetImageSize related Bug description: XSS: incorrect mime type for bmp in getimagesize/image_type_to_mime_type()
Description: ------------ For BMP images, image.c contains the mime type "image/bmp". That mime type does not exist; the proper mime for bmp images is "image/x-ms-bmp". http://www.iana.org/assignments/media-types/image/ This is a problem, as this opens a XSS vulnerability for users with IE < 8. The reproduction code shows XSS, when the page is viewed with IE versions earlier than IE8 Beta2. Reproduce code: --------------- <?php $image = 'Qk1eAAAAAAAAAD4AAAAoAAAABwAAAAgAAAABAAEAAAAAACAAAAB0EgAAdDxzY3JpcHQ+YWxlcnQoJ1hTUyBkdWUgdG8gd3JvbmcgaGVhZGVyJyk7PC9zY3JpcHQ+AA=='; $file = base64_decode($image); file_put_contents('test.bmp', $file); $image_data = getimagesize('test.bmp'); header("Content-type: {$image_data['mime']}"); // echo "Expected: 'image/x-ms-bmp' ; actual : '{$image_data['mime']}'"; header('Content-disposition: inline; filename="test.bmp"'); readfile('test.bmp'); // unlink('test.bmp'); Expected result: ---------------- Header: "image/x-ms-bmp" Actual result: -------------- Header : "image/bmp"; that causes a javascript popup when visiting with IE6 and IE7. -- Edit bug report at http://bugs.php.net/?id=47359&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=47359&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=47359&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=47359&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=47359&r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=47359&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=47359&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=47359&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=47359&r=needscript Try newer version: http://bugs.php.net/fix.php?id=47359&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=47359&r=support Expected behavior: http://bugs.php.net/fix.php?id=47359&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=47359&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=47359&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=47359&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=47359&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=47359&r=dst IIS Stability: http://bugs.php.net/fix.php?id=47359&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=47359&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=47359&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=47359&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=47359&r=mysqlcfg
