mime types
// A properly uploaded file will pass this test. There should be no reason to override this one.
if (! @ is_uploaded_file( $file['tmp_name'] ) )
return $upload_error_handler( $file, __( 'Specified file failed upload test.' ));
// A correct MIME type will pass this test. Override $mimes or use the upload_mimes filter.
if ( $test_type ) {
$wp_filetype = wp_check_filetype( $file['name'], $mimes );
extract( $wp_filetype );
string size value (such as 0x000061A8 followed by 25,050 A's),
applications that do not properly apply boundary checks will result in a
stack-based buffer overflow. This is due to most applications reading
data until they encounter a NULL byte.
Vulnerability #4: Picture MIME-Type Size Heap Overflow
The Picture Metadata block allows the insertion of a MIME-Type for the
embedded album art in a FLAC file. This field is vulnerable to a
heap-based overflow when applications that support FLAC album art
attempt to process an overly large MIME-TYPE Size field. Again arbitrary
code execution depends on the location of the overwritten memory, the
FluxBB does not sufficiently sanitize images uploaded by users, leading to
a Cross-Site-Scripting vulnerability. The problem arises that IE uses mime-
sniffing to establish the file type when being confronted with an unknown
header; crafted image files can be falsely identified as text/html,
leading to a cross-site-scripting vulnerability.
In particular, many web applications use the incorrect mime-type image/bmp,
which triggers the described sniffing.
FluxBB in particular does no validation regarding the image’s file type.
Fix Information
As I mentioned at my site (http://websecurity.com.ua/3762/), where I posted
about this XSS vulnerability in Invision Power Board, the fix offered by
Xacker is not effective. And better to use another method of fixing offered
by me.
Author of this advisory said, that in IPB a MIME-type application/x-dirview
is set for txt files. But at my forum (on IPB 2.2.2) for txt files a
MIME-type text/plain was set by default and the attack was worked. So
recommendation of the author to set text/plain is not effective (and in IPB
1.x there is no possibility to set MIME-type at all) and I recommend to
turn-off support of txt files at the forum.
$mklib->error_page($message);
exit;
}
@chmod("mkportal/blog/images/tmp/$file_name", 0644);
//Validate by mime type
$tmpfilename = "mkportal/blog/images/tmp/$file_name";
$size = @getimagesize($tmpfilename);
//If getimagesize does not recognize file as an image delete file
if (!$size) {
@unlink($tmpfilename);
The problem is derived from the sequence of actions performed by
Internet Explorer to determine the content-type of the content to be
loaded and the appropriate way to render it. The algorithm followed for
this purpose is described in Microsoft's Knowledgebase article titled
MIME Type Detection in Internet Explorer [4] and implemented in the
function 'FindMimeFromData' in 'URLMON.DLL'[5].
In the following section, proof of concept code is provided to
demonstrate the problem using the local storage used by Internet
Explorer to store the user's browsing history to deliver HTML with
3. Attacker convinces victim to visit the direct link to
uploaded file.
4. Victim’s cookies and other sensitive data gets sent to
attacker’s site.
5. Note: For Internet Explorer (v7,8), the task is easier
because it does automatic mime type detection. So, you can execute
javascript content in any file extension. E.g. click
http://securethoughts.com/security/rssatomxss/anyfile.tx. However, for other
browsers, Firefox 3.5, Safari 4, Opera 10 and Chrome 3, they don’t support
this functionality (perhaps for security reasons). So, using such extensions
mentioned above can be used as a workaround for script execution in Opera
The only browser found affected is Internet Explorer +5.0, other
browsers (FF/Chrome/Opera..) seems to handle the issue correctly (or
simply blindly?)
IP.Board v2.x set the MIME-type of *.txt files to
(application/x-dirview). If the *.txt file contains JavaScript/HTML it
will simply be parsed on IE +5.
IP.Board v3.0.4 (and prior) seems to check the content of the files
before permitting them, tags like "<body> , <script> , etc.." are
by Core was actually exploiting a different bug than the one originally
reported and therefore it should be considered a separate security
issue. The URLMON sniffing vulnerability refers to the variant
discovered in the CORE-2008-0826 time line. When loading a local file
Internet Explorer's HTML rendering engine [7] will only check its MIME
type to see if it is a positive match on the files it can handle. For
unknown types that are treated as HTML because they've been referred to
by a redirection, content type determination will default to 'text/html'
in absence of a type explicitly set by the content source. In the case
of non-html files for which there isn't an explicit content-type set,
URLMON will default to the 'text/html' type as suggested from the
I. BACKGROUND
Mozilla Thunderbird is an open source electronic mail client and news
reader. Multipurpose Internet Message Extensions (MIME) is a standard
that defines how non-text attachments and other data are handled in
electronic mail. The external-body MIME type is used for retrieving a
resource that is referenced in the message, such as an attachment. For
more information, see the vendor's website at the following URL.
http://www.mozilla.com/en-US/thunderbird/
resubmit the issues to KDE and contacted oCERT asking for assistance in
disclosure coordination.
Ark input sanitization errors:
The KDE archiving tool, Ark, performs insufficient validation which leads
to specially crafted archive files, using unknown MIME types, to be
rendered using a KHTML instance, this can trigger uncontrolled
XMLHTTPRequests to remote sites.
IO Slaves input sanitization errors:
KDE protocol handlers perform insufficient input validation, an attacker
project.
To upload a file go to "/managefile.php?action=showproject&id=<projectId>"
and add a new file.
If a file with .php extension is uploaded then the mimetype will be
"php/plain" and the program will change the extension to .txt in order
to prevent exploitation.
This security control can be bypassed changing the mimetype to
text/plain, in this way the application will believe that a normal .txt
(http://www.aos.net.au) reported that the vmfeed module, an insecure
implementation of the insecure VMcasting protocol (http://www.vmcasting.org/)
includes a silent update mechanism that downloads and executes Python code
from Enomaly's corporate web server (http://enomaly.com/fileadmin/eggs/)
over HTTP, without authentication or integrity checks. The code is triggered
when the "application/python-egg" MIME type is encountered.
The module also contains functionality for downloading workloads (virtual
machines) from a feed which is itself retrieved over HTTP. While the VMcasting
protocol (http://www.vmcasting.org/) describes a mechanism for digitally
signing payloads, the mechanism is not implemented and there is no requirement
help:// URLs. This issue only affected Ubuntu 8.10.
Original advisory details:
It was discovered that the KDE libraries could use KHTML to process an
unknown MIME type. If a user or application linked against kdelibs were
tricked into opening a crafted file, an attacker could potentially trigger
XMLHTTPRequests to remote sites.
Updated packages for Ubuntu 8.10:
malicious page or open a malicious file.
The specific flaw exists within the libpr0n library which is responsible
for handling image caching and animation and is due to the way the
application handles animations received from the server via the
multipart/x-mixed-replace mimetype. During a case where the
bits-per-pixel changes, the application will free a pointer and then can
be made to reuse the freed pointer later. This can lead to code
execution under the context of the application.
-- Vendor Response:
Partially fixed in version 1.2.4.
It can still be exploited to execute arbitrary PHP code by uploading
a malicious PHP script with multiple extensions (e.g. "shell.php.gif")
if Apache is not configured to handle the mime-type for media files
with an e.g. "gif" extension.
======================================================================
6) Time Table
19/03/2010 - Vendor notified.
"hn6cats",
"icons",
"iplog",
"layout",
"leacher",
"mimetypes",
"misc",
"news_attachs",
"newsletteradmins",
"newsubnotify",
"notifylist",
Description
===========
Jesse Ruderman and Petko D. Petkov reported that the jar protocol
handler in Mozilla Firefox and Seamonkey does not properly check MIME
types (CVE-2007-5947). Gregory Fleischer reported that the
window.location property can be used to generate a fake HTTP Referer
(CVE-2007-5960). Multiple memory errors have also been reported
(CVE-2007-5959).
Impact
CVE-2009-3237
It has been discovered that horde3 is prone to cross-site scripting
attacks via crafted number preferences or inline MIME text parts when
using text/plain as MIME type.
For lenny this issue was already fixed, but as an additional security
precaution, the display of inline text was disabled in the configuration
file.
CVE-2009-3701
system.
The vulnerability is caused due to an error when processing data
streams and can be exploited to trigger a use-after-free condition by
returning a specially crafted data stream of e.g. an unexpected
MIME-type for which no handler is registered.
Successful exploitation allows execution of arbitrary code when a user
visits a malicious website.
======================================================================
were tricked into processing crafted input, an attacker could cause a
denial of service (via application crash) or possibly execute arbitrary
code with the privileges of the user invoking the program. (CVE-2009-0689)
It was discovered that the KDE libraries could use KHTML to process an
unknown MIME type. If a user or application linked against kdelibs were
tricked into opening a crafted file, an attacker could potentially trigger
XMLHTTPRequests to remote sites.
Updated packages for Ubuntu 8.04 LTS:
bypassed by utilizing the session restore feature. An attacker could
exploit this to run JavaScript in the context of another site or
execute arbitrary JavaScript code with chrome privileges.
(CVE-2008-5019)
Justin Schuh discovered a flaw in Firefox's mime-type parsing. If a
user were tricked into opening a malicious website, an attacker could
send a crafted header in the HTTP index response, causing a browser
crash and execute arbitrary code with user privileges. (CVE-2008-0017)
A flaw was discovered in Firefox's DOM constructing code. If a user
front ends), DVI viewers and TeX itself, and many more (and the classic
"unshar", of course). It's just another round on a different operating
system.
Image viewers are particularly interesting because even if your favorite
and bug-ridden MIME types like image/gif are handled by a (supposedly
patched) mail/web client, chances are that the image viewer recognizes a
GIF image even if it is declared as image/x-xwindowdump, exposing its
vulnerable GIF code.
>
> GET /index.php?page=Poem/Poem.php HTTP/1.1
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/x-silverlight, */*
...and how did you confirm that? By seeing Silverlight in the accepted
mime-types header? Silverlight is a plugin which is a lot like the Flex
framework for Flash, only for .Net. So, I guess you have a Silverlight
application installed to play .WAV files, but this does not change the
fact that anything outside of IE (which has the Silverlight extension
installed) will use whatever the default media player is on your PC.
the necessary changes.
Details follow:
It was discovered that Thunderbird did not properly set the size of a
buffer when parsing an external-body MIME-type. If a user were to open
a specially crafted email, an attacker could cause a denial of service
via application crash or possibly execute arbitrary code as the user.
(CVE-2008-0304)
Various flaws were discovered in Thunderbird and its JavaScript
</html>
</xsl:template>
</xsl:stylesheet>
To mount the attack, the attacker would serve a web page which has XML
MIME type and requests to be styled by the evil stylesheet:
<?xml version="1.0" encoding="ISO-8859-1"?>
<?xml-stylesheet type="text/xsl" href="safaristealfilebug.xsl"?>
<xml>
irrelevant
We apologize for the inconvenience.
Original advisory details:
It was discovered that Thunderbird did not properly set the size of a
buffer when parsing an external-body MIME-type. If a user were to open
a specially crafted email, an attacker could cause a denial of service
via application crash or possibly execute arbitrary code as the user.
(CVE-2008-0304)
Various flaws were discovered in Thunderbird and its JavaScript
</html>
</xsl:template>
</xsl:stylesheet>
To mount the attack, the attacker would serve a web page which has XML
MIME type and requests to be styled by the evil stylesheet:
<?xml version="1.0" encoding="ISO-8859-1"?>
<?xml-stylesheet type="text/xsl" href="safaristealmailbug.xsl"?>
<xml>
irrelevant
6. *Vendor Information, Solutions and Workarounds*
The vendor did not provide this information. A possible mitigation
action would be to enable MIME type filtering in your IDS/proxies and
block S3DPlayer traffic:
/-----------
application/x-ston3d-stk
|
