Survey: "MIME/Content-Type-Sniffing" Issues in Image Uploads in Forum Scripts Author: Jacques Copeau Abstract ==================================================== Internet Explorer, especially versions 7 and 6, can be tricked to treat images as html, opening XSS vulnerabilities in software that allows uploads. IN a survey, we found myBB, fluxBB, phorum, SMF and WBB to be vulnerable to such attacks. I Introduction ==================================================== Mime or Content Type sniffing[1] is a standard functionality in browsers to find an appropriate way to render data where the HTTP headers sent by the server are either inconclusive or missing. Especially the Internet Explorer browser is known to use this technique even in cases where the server sends a specific content type header[2]. Internet explorer resorts to mime sniffing when either the Content-Type header and the "magic" signature at the beginning contradict or when the Content-Type header is unknown. In that case, IE will try to establish the content type and can be tricked into assuming text/html by placing certain HTML tags within the first 255 bytes of the file. Note that such files can be valid image files despite their HTML payload. A frequent example for unknown content-types is "image/bmp", which is created by PHP's (< 5.3.0) getimagesize API function[4]. This is - the obvious XSS issue aside - used for phishing attachs[3]. As file -- especially image -- uploads are a standard feature in forum scripts, we took the opportunity to survey popular forum script, whose vendors claim to be security conscious, regarding their handling of file uploads with regard to handling mime sniffing. We surveyed MyBB (1.4.5), SMF (1.1.18 / 2.0RC1), phpBB (2.0.23/3.0.4), FluxBB (1.3), phorum (5.2.10), WBB (lite/3.0.8) and vBulletin (3.8.2). Of the surveyed scripts, only phpBB and vBulletin had sufficient safeguards against attacks using mime sniffing in place. All other scripts were found to be vulnerable. We consider it to be remarkable that a suprisingly big number of scripts had no guards against a relatively well-known attack vector. However, it enabled us to directly compare the reactions of different vendors to a very similar issues. In II, we will present our findings of the survey; in III we detail the reactions of the different vendors and in IV offer our conclusions. II Survey ==================================================== 1 Methodology _____For our analysis we used popular and well known PHP forum scripts with file uploading functions. We did not survey scripts like bbPress and Vanilla, which require plugins for file uploading. In Open Source scripts, we analysed the code to find out about the safeguards in place; the closed source scripts vB and WBB* were not analysed on the source-code level. We notified all vendors on April 30th. Vendors, who had not replied, were notified again on May 7th with a clear note about our intention to publish the results after four weeks. We tested for content type sniffing vulnerabilities with six different files: -A valid BMP with html/javascript in the palette (1) -A valid BMP with obfuscated html/javascript in the palette (2) -A valid PNG with html/javascript in a comment -- with an extension ".jpg". (3) -- with an extension ".gif". (4) -A valid png with obfuscated html/javascript in a comment and a .gif extension (5) -An invalid gif with javascript and a .gif extension (6) The files with obfuscated javascript were used to test the strength of filters employed by some forum scripts. We checked for three established kinds of defense against malicious uploads that exploit IE mime sniffing: - Rejecting files with patterns triggering sniffing text/html(blacklisting) - Setting correct headers to avoid sniffing from happening (validating) - remaking files with GD or IM (sanitizing) *WBB lite was analysed; we believe that the "full" WBB shares the same mechanism. 2 Detailed Descriptions _____ MyBB relied on setting headers and forced the download of files (i.e. content-disposition: attachment). This is a sufficient safeguard for IE7, but IE6 has the added complexity that it ignores the content-disposition, when the file is already cached. This can happen when the user cancels the download dialog and then visits the download url again. The script used the incorrect image/bmp content type, making the issue manifest with files (1) and (2). It should be noted that the issue was thus far harder to exploit in MyBB and not without social engineering. FluxBB utilized no validation of image files on upload, except a basic file type check. File 3 circumvented that check. SMF (1.1 and 2.0) uses file validation to guard against mime sniffing. However, we found all current versions to be lacking, as they use the getimagesize function to set headers. The files (1) and (2) were able to bypass that defense. Both WBB lite and WBB did not guard sufficiently against file (2) - the obfuscated JS in a valid bitmap - and delivered it with the incorrect header "image/bmp". The software filtered only the presence of "<script>" tags, making it easy to evade the blacklist. vBulletin uses a blacklist to guard against mime sniffing. We found no HTML tag that would lead IE 6/7 to mime sniff[1] a text/html type to be missing from that list. phpBB2 was found not to be vulnerable, as it does only allows files of the types png, gif and jpeg. For all these filestypes, the software sends correct headers. phpBB3 has a far more flexible upload system, but uses both comprehensive blacklisting and upload validation to guard against issues. We were not able to exploit IE mime sniffing within phpBB3. 3 Tabulated Results _____ Script Defense Working Exploits Notes MyBB Validation 1,2 Only vulnerable with IE6 and only under obscure circumstances FluxBB None 3 Phorum None 1,2,3,4,5,6 SMF 1.1.18 Validation 1,2 SMF 2.0RC1 Validation 1,2 WBB lite Blacklist 2 WBB 3.0.8 Blacklist 2 vBulletin Blacklist - phpBB2 Validation - phpBB3 Validation + Blacklist - III Post-Mortem ==================================================== 1 Vendor Reaction _____ FluxBB reacted on the same day, commiting a fix with credit on April 30th. MyBB reacted within a day, releasing a fixed version on May 3rd. Credit was given. Phorum reacted after the reminder on May 8th. A fix was released on May 22nd with credit. Simplemachines reacted after a reminder on My 7th. The fix with somewhat hidden credit was published on May 20th; the issue was left unpatched in the download packages. Only the manual update instructions contained a correct solution. After notifying the vendor about the error, the packages were fixed; however, without any visible notificatin for users. It can be assumed that a large number of installations is left vulnerable because of this oversight. Woltlab, the vendor of WBB, had no security address and no security contact form. The email bounced; after emailing the lead dev's address, we got a reply on May 7th. To the best of our knowledge, the issue hasn't been patched since then. 2 Tabulated Results _____Script Vendor Reaction Fix Released Credit Fix Valid MyBB May 1st 2009 May 3rd 2009 Yes Yes FluxBB April 30th 2009 April 30th 2009 Yes Yes Phorum May 8th 2009 May 22nd 2009 Yes Yes SMF 1.1.18 May 7th 2009 May 20th 2009 Yes Yes SMF 2.0RC1 May 7th 2009 May 20th 2009 Yes No (corrected May 28th) WBB lite May 7th 2009 Pending WBB 3.0.8 May 7th 2009 Pending IV Conclusion ==================================================== The good news is that all open source projects reacted in a timely manner, with a valid fix. Users of non OSI open-source scripts like WBB or SMF seem to be in more trouble; the vendors were slow to react and provided substandard solutions -- if they patched the issue at all. The license issue forbids forking in such cases. It is our hope that this instance serves as a heads-up. The findings could indicate seems that the more popular scripts like vBulletin or phpBB have a tighter proccess regrading security, but this can hardly be based on one kind of vulnerabilty alone. The bigger userbase certainly makes those scripts a more likely target; at the same time it provides more feedback to developers. Our final ranking is: vBulletin and phpBB were not vulnerable; the developers seem to follow the developments of the security scene. FluxBB was very quick to react, shortly followed by MyBB. Phorum gave a lot of feedback about the current state; they invested a lot of effort to independently research the issue and provided a well-designed fix. SMF was slow to react; while they provided a valid fix, it seems that a packaging error slipped past the quality assurance, resulting in the issue staying unfixed in the downloadable packages. Woltlab was slow to react and provided little feedback. Looking at other issues[5] indicated that this is common behavior for the vendor. In either way, it is our hope that the increased awareness and the release of IE8 and php5.3 will reduce - if not eliminate - the risk of such mime sniffing attacks in the future. V References ==================================================== [1] Barth, Caballero, Song: "Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves"; in IEEE Security & Privacy (Oakland 2009) [2] Sudhof: "Risky sniffing" in http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589 [3] http://asert.arbornetworks.com/2009/03/mime-sniffing-and-phishing/ [4] http://bugs.php.net/bug.php?id=47359 [5] http://secunia.com/advisories/34220/ APPENDIX: Advisories ==================================================== Advisory: Cross-Site Scripting in Avatar uploads in fluxBB Application: fluxBB Vulnerable Versions: 1.3-legacy and older 1.3 versions. Reported By: Jacques Copeau Note *********** This advisory is part of a survey about vulnerable file uploads in forum software. The survey will be published after all vendors have fixed their applications. We will publish no individual advisories, however we will include the speed, quality of the fix along with the vendor reaction in the survey. Description *********** FluxBB is a free open source forum application designed to be fast, light and user friendly. Version 1.3 of FluxBB, currently under development, adds a powerful extension system. Details ******* FluxBB does not sufficiently sanitize images uploaded by users, leading to a Cross-Site-Scripting vulnerability. The problem arises that IE uses mime- sniffing to establish the file type when being confronted with an unknown header; crafted image files can be falsely identified as text/html, leading to a cross-site-scripting vulnerability. In particular, many web applications use the incorrect mime-type image/bmp, which triggers the described sniffing. FluxBB in particular does no validation regarding the images file type. Fix Information *************** Update to newest version. Timeline: *********** April 30th 2009: Contacted Vendor April 30th 2009: Vendor reaction April 30th 2009: Vendor commits fix May 28th 2009: Full Disclosure References: *********** http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589 http://bugs.php.net/bug.php?id=47359 http://fluxbb.org/downloads/dev.php ======================================================== Advisory : Cross-Site Scripting in Attachment uploads in SMF Application: Simplemachines Forum Vulnerable Versions: 2.0RC1; 1.0.x, <= 1.1.18 Reported By: Jacques Copeau Note *********** This advisory is part of a survey about vulnerable file uploads in forum software. The survey will be published after all vendors have fixed their applications. We will publish no individual advisories, however we will include the speed, quality of the fix along with the vendor reaction in the survey. Description *********** Simple Machines Forum SMF in short is a free, professional grade software package that allows you to set up your own online community within minutes. Its powerful custom made template engine puts you in full control of the lay-out of your message board and with our unique SSI - or Server Side Includes - function you can let your forum and your website interact with each other. SMF is written in the popular language PHP and uses a MySQL database. It is designed to provide you with all the features you need from a bulletin board while having an absolute minimal impact on the resources of the server. SMF is the next generation of forum software - and best of all it is and will always remain completely free! Details ******* SMF does not sufficiently sanitize images uploaded by users, leading to a Cross-Site-Scripting vulnerability. The problem arises that IE uses mime- sniffing to establish the file type when being confronted with an unknown header; crafted image files can be falsely identified as text/html, leading to a cross-site-scripting vulnerability. In particular, many web applications use the incorrect mime-type image/bmp, which triggers the described sniffing. SMF does not perform sufficient sanitation on uploaded bmp files, allowing the upload of such crafted files as attachment. Fix Information *************** Users of SMF 1.1 should update to SMF 1.1.19; users of SMF RC1 should use the manual instructions to update to 2.0RC1.1. Timeline: *********** April 30th 2009: Contacted Vendor May 4th 2009: Re-contacted Vendor due to no reaction May 7th 2009: Vendor reaction May 20th 2009: 1.1.19 released ; 2.0RC1 left vulnerable May 27th 2009: Notified vendor about faulty fix May 28th 2009: Vendor fixes packaging May 28th 2009: Full Disclosure References: *********** http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589 http://bugs.php.net/bug.php?id=47359 http://www.simplemachines.org/ ======================================================== Advisory : Cross-Site Scripting in file uploads in Phorum Application: Phorum Vulnerable Versions: <= 5.2.10 Reported By: Jacques Copeau Note *********** This advisory is part of a survey about vulnerable file uploads in forum software. The survey will be published after all vendors have fixed their applications. We will publish no individual advisories, however we will include the speed, quality of the fix along with the vendor reaction in the survey. Description *********** Started in 1998, Phorum was the original PHP and MySQL based Open Source forum software. Phorum's developers pride themselves on creating message board software that is designed to meet different needs of different web sites while not sacrificing performance or features. Details ******* Phorum does not sufficiently sanitize images uploaded by users, leading to a Cross-Site-Scripting vulnerability. The problem arises that IE uses mime- sniffing to establish the file type when being confronted with an unknown header; crafted image files can be falsely identified as text/html, leading to a cross-site-scripting vulnerability. In particular, many web applications use the incorrect mime-type image/bmp, which triggers the described sniffing. Phorum does not perform sufficient sanitation on uploaded files, allowing the upload of such crafted files. Fix Information *************** Update to 5.2.11 Timeline: *********** April 30th 2009: Contacted Vendor May 7th 2009: Re-Contacted Vendor May 8th 2009: Vendor response May 22nd 2009: Vendor released 5.2.11 May 28th 2009: Full Disclosure References: *********** http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589 http://bugs.php.net/bug.php?id=47359 http://www.phorum.org/ ======================================================== Advisory : Cross-Site Scripting in file uploads in WBB Application: Woltlab Burning Board Vulnerable Versions: WBB 3 <= 3.0.8; WBBlite <= 2.0.1 Reported By: Jacques Copeau Note *********** This advisory is part of a survey about vulnerable file uploads in forum software. The survey will be published after all vendors have fixed their applications. We will publish no individual advisories, however we will include the speed, quality of the fix along with the vendor reaction in the survey. Description *********** Burning Board 3 is the modern, secure and user friendly solution for your discussion board! Details ******* WBB does not sufficiently sanitize images uploaded by users, leading to a Cross-Site-Scripting vulnerability. The problem arises that IE uses mime- sniffing to establish the file type when being confronted with an unknown header; crafted image files can be falsely identified as text/html, leading to a cross-site-scripting vulnerability. In particular, many web applications use the incorrect mime-type image/bmp, which triggers the described sniffing. The WCF only filters for <script> html tags, which is not sufficient to sanitize uploaded files. Fix Information *************** The issue is as of now unfixed in WBB; however php 5.3. and IE8 include code to mitigate the issue. Timeline: *********** April 30th 2009: Contacted Vendor May 7th 2009: re-Contacted Vendor May 8th 2009: Vendor Response May 28th 2009: Full Disclosure References: *********** http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589 http://bugs.php.net/bug.php?id=47359 http://www.woltlab.com/ ======================================================== Advisory : Cross-Site Scripting vulnerabilities in MyBB Attachments Application: MyBB Vulnerable Versions: <= 1.4.5 Reported By: Jacques Copeau Note *********** This advisory is part of a survey about vulnerable file uploads in forum software. The survey will be published after all vendors have fixed their applications. We will publish no individual advisories, however we will include the speed, quality of the fix along with the vendor reaction in the survey. Description *********** MyBB is a forum package full of useful and to-the-point features, helping you to make administrating your bulletin board as easy as possible. We highlighted some of MyBB's best capabilities, to show you why you should choose MyBB over any other discussion board. Details ******* MyBB does not sufficiently sanitize images uploaded by users, leading to a Cross-Site-Scripting vulnerability. The problem arises that IE uses mime- sniffing to establish the file type when being confronted with an unknown header; crafted image files can be falsely identified as text/html, leading to a cross-site-scripting vulnerability. In particular, many web applications use the incorrect mime-type image/bmp, which triggers the described sniffing. MyBB uses the content-disposition:attachment header to defend against such mime-sniffing. However, the IE6 browser does not respect that header to the necessary extent; when clicking cancel upon visiting a malicious attachment, all future visits will render the XSS vector. Discussion ******* The XSS renders only for visitors using the IE6 browser, and even then only when cancelling the download. Fix Information *************** Update to myBB 1.4.5 Timeline: *********** April 30th 2009: Contacted Vendor May 1st 2009: Vendor response May 4th 2009: MyBB 1.4.5 released May 28th 2009: Full Disclosure References: *********** http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589 http://bugs.php.net/bug.php?id=47359 http://www.mybboard.net/