ID: 47359 Updated by: [email protected] Reported By: hsudhof at gmail dot com -Status: Analyzed +Status: Assigned Bug Type: GetImageSize related Operating System: * PHP Version: 5.2.9RC1 -Assigned To: +Assigned To: scottmac
Previous Comments: ------------------------------------------------------------------------ [2009-02-11 12:44:20] [email protected] This looks like a bug in the IE mime type sniffing rather than a specific XSS. If I make the mime type image/bm or image/bmps or image/ms-bmp or any of the half dozen that are listed they work correctly. There is no official IANA mime type for bmp listed on the page so I'll investigate this some more. ------------------------------------------------------------------------ [2009-02-11 11:53:26] hsudhof at gmail dot com Description: ------------ For BMP images, image.c contains the mime type "image/bmp". That mime type does not exist; the proper mime for bmp images is "image/x-ms-bmp". http://www.iana.org/assignments/media-types/image/ This is a problem, as this opens a XSS vulnerability for users with IE < 8. The reproduction code shows XSS, when the page is viewed with IE versions earlier than IE8 Beta2. Reproduce code: --------------- <?php $image = 'Qk1eAAAAAAAAAD4AAAAoAAAABwAAAAgAAAABAAEAAAAAACAAAAB0EgAAdDxzY3JpcHQ+YWxlcnQoJ1hTUyBkdWUgdG8gd3JvbmcgaGVhZGVyJyk7PC9zY3JpcHQ+AA=='; $file = base64_decode($image); file_put_contents('test.bmp', $file); $image_data = getimagesize('test.bmp'); header("Content-type: {$image_data['mime']}"); // echo "Expected: 'image/x-ms-bmp' ; actual : '{$image_data['mime']}'"; header('Content-disposition: inline; filename="test.bmp"'); readfile('test.bmp'); // unlink('test.bmp'); Expected result: ---------------- Header: "image/x-ms-bmp" Actual result: -------------- Header : "image/bmp"; that causes a javascript popup when visiting with IE6 and IE7. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=47359&edit=1
