Analysis: MIME sniffing problems in PHP applications
Security specialist Jacques Copeau has analysed a number of well-known PHP applications for susceptibility to the MIME sniffing issue in Internet Explorer. This "protective" feature, originally introduced as a security measure in Internet Explorer 6 and 7, can in fact cause the browser to treat an image as HTML and execute embedded scripts.
Attackers can use this to circumvent protective measures used by websites which, for example, allow images to be uploaded, but do not allow generation of active content. More details can be found in the feature article "Risky sniffing" at The H Security.
Copeau looked at the bulletin board and forum applications MyBB (1.4.5), SMF (1.1.18 / 2.0RC1), phpBB (2.0.23/3.0.4), FluxBB (1.3), phorum (5.2.10), WBB (lite/3.0.8) and vBulletin (3.8.2) to see if they offer specific functions to protect against this kind of attack on users and, if they do, whether they can be circumvented.
Copeau found that MyBB forced the download of files by setting the content-disposition: attachment HTTP header, so that images are simply not displayed in the browser. FluxBB carried out just a rudimentary file type check when uploading a file, which is relatively easily to fool. SMF also checked that the uploaded image had the correct file type, but still delivered images in which the file extension and signature differed to the browser. WBB had implemented a JavaScript filter, but it only recognised plain text tags such as <script>. If the tags were obfuscated, the filter no longer blocked them. Phorum did not implement any protective functions.
vBulletin and phpBB3 also used filters to prevent attacks via scripts in images, which Copeau says he was unable to circumvent. phpBB2 also turned out not to contain the vulnerability, because it sends the correct headers for the image formats supported.
According to Copeau, the developers behind MyBB, FluxBB, Phorum and SMF have all responded to the problem and fixed it in the latest versions of their applications. Administrators should consider updating to more recent version to protect users. Currently, only the WBB developer team have failed to release an update.
Internet Explorer 8 does not implement MIME sniffing and so this recent release of the IE browser no longer interprets code hidden within images.
See also:
- Survey: "MIME/Content-Type-Sniffing" Issues in Image Uploads in Forum Scripts, analysis from Jacques Copeau.
(crve)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
