Analysis: MIME sniffing problems in PHP applications
Security specialist Jacques Copeau has analysed a number of well-known PHP applications for susceptibility to the MIME sniffing issue in Internet Explorer. This "protective" feature, originally introduced as a security measure in Internet Explorer 6 and 7, can in fact cause the browser to treat an image as HTML and execute embedded scripts.
Attackers can use this to circumvent protective measures used by websites which, for example, allow images to be uploaded, but do not allow generation of active content. More details can be found in the feature article "Risky sniffing" at The H Security.
Copeau looked at the bulletin board and forum applications MyBB (1.4.5), SMF (1.1.18 / 2.0RC1), phpBB (2.0.23/3.0.4), FluxBB (1.3), phorum (5.2.10), WBB (lite/3.0.8) and vBulletin (3.8.2) to see if they offer specific functions to protect against this kind of attack on users and, if they do, whether they can be circumvented.
vBulletin and phpBB3 also used filters to prevent attacks via scripts in images, which Copeau says he was unable to circumvent. phpBB2 also turned out not to contain the vulnerability, because it sends the correct headers for the image formats supported.
According to Copeau, the developers behind MyBB, FluxBB, Phorum and SMF have all responded to the problem and fixed it in the latest versions of their applications. Administrators should consider updating to more recent version to protect users. Currently, only the WBB developer team have failed to release an update.
Internet Explorer 8 does not implement MIME sniffing and so this recent release of the IE browser no longer interprets code hidden within images.
- Survey: "MIME/Content-Type-Sniffing" Issues in Image Uploads in Forum Scripts, analysis from Jacques Copeau.