Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

MIME Type spoofing

Tags:

mime-types

html

security

php

spoofing

Checking for mime type in php is pretty easy but as far as I know mime can be spoofed. The attacker can upload a php script with for example jpeg mime type. One thing that comes to mind is to check the file extension of the uploaded file and make sure it matches the mime type. All of this is assuming the upload directory is browser accessible.

Question: Are there any other techniques for preventing "bad files" from getting in with mime type spoofing?

like image 921
abruski Avatar asked Nov 06 '11 15:11

abruski

2 Answers

Short answer: No.

Longer answer:

Comparing the extension and making sure that it matches the MIME type doesn't really prevent anything. As was said in the comments, it's even easier to modify a file extension. MIME type and extension are only to be meant as hints, there's no inherent security in them.

Ensuring that incoming files do no harm is very dependent on what your purpose for them is going to be. In your case I understood that you are expecting images. So what you could do is perform some sanity checks first: scan the first couple of bytes to see if the files contain the relevant image header signatures - all relevant image formats have these.

The "signature headers" help you to decide what kind of image format a file tries to impersonate. In a next step you could check if the rest of the contents are compliant with the underlying image format. This would guarantee you that the file is really an image file of that specific format.

But even then, the file could be carefully crafted in a way that when you display the image, a popular library used to display that image (e.g. libpng etc.) would run into a buffer overflow that the attacker found in that library.

Unfortuantely there's no way to actively prevent this besides not allowing any input from the client side at all.

like image 104
emboss Avatar answered Oct 03 '22 09:10

emboss

Caution - this answer is now obsolete

The documentation for getimagesize explicitly states "Do not use getimagesize() to check that a given file is a valid image.

In case of Images

  • Check the extension with a list of allowed ones (ex. ".jpg", ".jpeg", ".png")
  • Check the uploaded file itself by running getimagesize on the file, it will return FALSE if it's not an image.

Other types of upload

  • Check the allowed extensions (ex. ".pdf")
  • Check that the mime type of the file corresponds to the extension

Sample code:

function getRealMimeType($filename) {
    $finfo = new finfo(FILEINFO_MIME, "/usr/share/misc/magic"); 
    if (!$finfo) {
        echo "Opening fileinfo database failed";
        return "";
    }
    return $finfo->file($filename);
}

See finfo_file documentation.

like image 34
stivlo Avatar answered Oct 03 '22 07:10

stivlo
Sign in to Comment

Related questions

Convert SQL Server tables to MySQL using ZF2 and Doctrine2
PHP Websocket undefined in Edge Browser
Deprecation warnings after upgrading Symfony 4.3.9 to 4.4.1/5.0
PHP versions "market share"
Valid Email Addresses - XSS and SQL Injection
Algorithm using soundex() or metaphone() to create Mad Gab style phrases
redirect to same page to anchor [duplicate]
Continuous Integration using composer
manipulating template in PHPWord
How to combine JMVC (javascript-mvc) and server side MVC together
Why doesn't MySQLi library natively support named parameters?
Mediawiki login cancelled to prevent session hijacking
How does Laravel parse the .env file?
Using PHPUnit to test cookies and sessions, how?
AJAX Polling Frequency - To long poll or not to long poll?
trigger_error vs. throwing exceptions
extending PDO class
Cron Tasks on load balanced web servers
jQuery (or any web tool) Nested Expression Builder
How to develop a CRM system [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!