incorrect mime type for bmp in getimagesize/image_type_to_mime_type()
| Bug #47359 | XSS: incorrect mime type for bmp in getimagesize/image_type_to_mime_type() | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Submitted: | 2009-02-11 11:53 UTC | Modified: | 2009-03-17 03:29 UTC |
|
||||||||||
| From: | hsudhof at gmail dot com | Assigned: | scottmac (profile) | |||||||||||
| Status: | Closed | Package: | GetImageSize related | |||||||||||
| PHP Version: | 5.2.9RC1 | OS: | * | |||||||||||
| Private report: | No | CVE-ID: | None | |||||||||||
[2009-02-11 11:53 UTC] hsudhof at gmail dot com
Description: ------------ For BMP images, image.c contains the mime type "image/bmp". That mime type does not exist; the proper mime for bmp images is "image/x-ms-bmp". http://www.iana.org/assignments/media-types/image/ This is a problem, as this opens a XSS vulnerability for users with IE < 8. The reproduction code shows XSS, when the page is viewed with IE versions earlier than IE8 Beta2. Reproduce code: --------------- <?php $image = 'Qk1eAAAAAAAAAD4AAAAoAAAABwAAAAgAAAABAAEAAAAAACAAAAB0EgAAdDxzY3JpcHQ+YWxlcnQoJ1hTUyBkdWUgdG8gd3JvbmcgaGVhZGVyJyk7PC9zY3JpcHQ+AA=='; $file = base64_decode($image); file_put_contents('test.bmp', $file); $image_data = getimagesize('test.bmp'); header("Content-type: {$image_data['mime']}"); // echo "Expected: 'image/x-ms-bmp' ; actual : '{$image_data['mime']}'"; header('Content-disposition: inline; filename="test.bmp"'); readfile('test.bmp'); // unlink('test.bmp'); Expected result: ---------------- Header: "image/x-ms-bmp" Actual result: -------------- Header : "image/bmp"; that causes a javascript popup when visiting with IE6 and IE7.
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2009-02-11 12:44 UTC] scottmac@php.net
[2009-03-17 03:29 UTC] scottmac@php.net