Survey: "MIME/Content-Type-Sniffing" Issues in Image Uploads in Forum Scripts
Author: Jacques Copeau

Abstract
====================================================
Internet Explorer, especially versions 7 and 6, can be tricked to treat images
as html, opening XSS vulnerabilities in software that allows uploads.
IN a survey, we found myBB, fluxBB, phorum, SMF and WBB to be vulnerable to
such attacks.

I Introduction
====================================================
Mime or Content Type sniffing[1] is a standard functionality in browsers to find
an appropriate way to render data where the HTTP headers sent by the server are
either inconclusive or missing. Especially the Internet Explorer browser is
known to use this technique even in cases where the server sends a specific
content type header[2].
Internet explorer resorts to mime sniffing when either the
Content-Type header and
the "magic" signature at the beginning contradict or when the
Content-Type header
is unknown. In that case, IE will try to establish the content type and can be
tricked into assuming text/html by placing certain HTML tags within the first
255 bytes of the file. Note that such files can be valid image files
despite their
HTML payload.
A frequent example for unknown content-types is "image/bmp", which is created by
PHP's (< 5.3.0) getimagesize API function[4].
This is - the obvious XSS issue aside - used for phishing attachs[3].

As file -- especially image -- uploads are a standard feature in forum scripts,
we took the opportunity to survey popular forum script, whose vendors
claim to be
security conscious, regarding their handling of file uploads with regard to
handling mime sniffing.
We surveyed MyBB (1.4.5), SMF (1.1.18 / 2.0RC1), phpBB (2.0.23/3.0.4),
FluxBB (1.3),
phorum (5.2.10), WBB (lite/3.0.8) and vBulletin (3.8.2).
Of the surveyed scripts, only phpBB and vBulletin had sufficient safeguards
against attacks using mime sniffing in place. All other scripts were found to be
vulnerable.

We consider it to be remarkable that a suprisingly big number of scripts had
no guards against a relatively well-known attack vector. However, it enabled us
to directly compare the reactions of different vendors to a very similar issues.

In II, we will present our findings of the survey; in III we detail
the reactions
of the different vendors and in IV offer our conclusions.

II Survey
====================================================
1 Methodology
____________________________________________________
For our analysis we used popular and well known PHP forum scripts with file
uploading functions. We did not survey scripts like bbPress and Vanilla,
which require plugins for file uploading.
In Open Source scripts, we analysed the code to find out about the
safeguards in
place; the closed source scripts vB and WBB* were not analysed on the
source-code
level.
We notified all vendors on April 30th. Vendors, who had not replied,
were notified
again on May 7th with a clear note about our intention to publish the results
after four weeks.


We tested for content type sniffing vulnerabilities with six different files:
-A valid BMP with html/javascript in the palette (1)
-A valid BMP with obfuscated html/javascript in the palette (2)
-A valid PNG with html/javascript in a comment
-- with an extension ".jpg". (3)
-- with an extension ".gif". (4)
-A valid png with obfuscated html/javascript in a comment and a .gif
extension (5)
-An invalid gif with javascript and a .gif extension (6)

The files with obfuscated javascript were used to test the strength of filters
employed by some forum scripts.

We checked for three established kinds of defense against malicious uploads that
exploit IE mime sniffing:
- Rejecting files with patterns triggering sniffing text/html(blacklisting)
- Setting correct headers to avoid sniffing from happening (validating)
- remaking files with GD or IM (sanitizing)


*WBB lite was analysed; we believe that the "full" WBB shares the same
mechanism.

2 Detailed Descriptions
____________________________________________________

MyBB relied on setting headers and forced the download of files
(i.e. content-disposition: attachment). This is a sufficient safeguard for IE7,
but IE6 has the added complexity that it ignores the content-disposition, when
the file is already cached. This can happen when the user cancels the download
dialog and then visits the download url again. The script used the incorrect
image/bmp content type, making the issue manifest with files (1) and (2).
It should be noted that the issue was thus far harder to exploit in MyBB and not
without social engineering.

FluxBB utilized no validation of image files on upload, except a basic
file type
check. File 3 circumvented that check.

SMF (1.1 and 2.0) uses file validation to guard against mime sniffing. However,
we found all current versions to be lacking, as they use the getimagesize
function to set headers. The files (1) and (2) were able to bypass that defense.

Both WBB lite and WBB did not guard sufficiently against file (2) -
the obfuscated
JS in a valid bitmap - and delivered it with the incorrect header
"image/bmp". The
software filtered only the presence of "<script>" tags, making it easy to evade
the blacklist.

vBulletin uses a blacklist to guard against mime sniffing. We found no HTML tag
that would lead IE 6/7 to mime sniff[1] a text/html type to be missing
from that list.

phpBB2 was found not to be vulnerable, as it does only allows files of the types
png, gif and jpeg. For all these filestypes, the software sends correct headers.

phpBB3 has a far more flexible upload system, but uses both comprehensive
blacklisting and upload validation to guard against issues. We were not able to
exploit IE mime sniffing within phpBB3.


3 Tabulated Results
____________________________________________________

Script       Defense                  Working Exploits     Notes

MyBB         Validation               1,2                  Only
vulnerable with IE6 and only under obscure circumstances
FluxBB       None                     3
Phorum       None                     1,2,3,4,5,6
SMF 1.1.18   Validation               1,2
SMF 2.0RC1   Validation               1,2
WBB lite     Blacklist                2
WBB 3.0.8    Blacklist                2
vBulletin    Blacklist                -
phpBB2       Validation               -
phpBB3       Validation + Blacklist   -


III Post-Mortem
====================================================
1 Vendor Reaction
____________________________________________________

FluxBB reacted on the same day, commiting a fix with credit on April 30th.

MyBB reacted within a day, releasing a fixed version on May 3rd.
Credit was given.

Phorum reacted after the reminder on May 8th. A fix was released on
May 22nd with credit.

Simplemachines reacted after a reminder on My 7th. The fix with
somewhat hidden credit
was published on May 20th; the issue was left unpatched in the
download packages.
Only the manual update instructions contained a correct solution.
After notifying
the vendor about the error, the packages were fixed; however, without
any visible
notificatin for users. It can be assumed that a large number of installations is
left vulnerable because of this oversight.

Woltlab, the vendor of WBB, had no security address and no security
contact form. The
email bounced; after emailing the lead dev's address, we got a reply
on May 7th. To the
best of our knowledge, the issue hasn't been patched since then.

2 Tabulated Results
____________________________________________________
Script       Vendor Reaction          Fix Released       Credit     Fix Valid

MyBB         May 1st 2009             May 3rd 2009       Yes        Yes
FluxBB       April 30th 2009          April 30th 2009    Yes        Yes
Phorum       May 8th 2009             May 22nd 2009      Yes        Yes
SMF 1.1.18   May 7th 2009             May 20th 2009      Yes        Yes
SMF 2.0RC1   May 7th 2009             May 20th 2009      Yes        No
(corrected May 28th)
WBB lite     May 7th 2009             Pending
WBB 3.0.8    May 7th 2009             Pending


IV Conclusion
====================================================
The good news is that all open source projects reacted in a timely manner,
with a valid fix. Users of non OSI open-source scripts like WBB or SMF
seem to be in more trouble; the vendors were slow to react and provided
substandard solutions -- if they patched the issue at all. The license issue
forbids forking in such cases.
It is our hope that this instance serves as a heads-up.
The findings could indicate seems that the more popular scripts like vBulletin
or phpBB have a tighter proccess regrading security, but this can hardly be
based on one kind of vulnerabilty alone. The bigger userbase certainly makes
those scripts a more likely target; at the same time it provides more feedback
to developers.

Our final ranking is:
vBulletin and phpBB were not vulnerable; the developers seem to follow the
developments of the security scene.
FluxBB was very quick to react, shortly followed by MyBB.
Phorum gave a lot of feedback about the current state; they invested a lot
of effort to independently research the issue and provided a well-designed
fix.
SMF was slow to react; while they provided a valid fix, it seems that a
packaging error slipped past the quality assurance, resulting in the issue
staying unfixed in the downloadable packages.
Woltlab was slow to react and provided little feedback. Looking at other
issues[5] indicated that this is common behavior for the vendor.

In either way, it is our hope that the increased awareness and the release
of IE8 and php5.3 will reduce - if not eliminate - the risk of such mime
sniffing attacks in the future.

V References
====================================================

[1] Barth, Caballero, Song: "Secure Content Sniffing for Web Browsers, or
How to Stop Papers from Reviewing Themselves"; in IEEE Security &
Privacy (Oakland 2009)
[2] Sudhof: "Risky sniffing" in
http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589
[3] http://asert.arbornetworks.com/2009/03/mime-sniffing-and-phishing/
[4] http://bugs.php.net/bug.php?id=47359
[5] http://secunia.com/advisories/34220/

APPENDIX: Advisories
====================================================

Advisory: “Cross-Site Scripting” in Avatar uploads in fluxBB

Application: fluxBB
Vulnerable Versions: 1.3-legacy and older 1.3 versions.
Reported By: Jacques Copeau

Note
***********
This advisory is part of a survey about vulnerable file uploads in forum
software. The survey will be published after all vendors have fixed their
applications. We will publish no individual advisories, however we will
include the speed, quality of the fix along with the vendor reaction in
the survey.

Description
***********

FluxBB is a free open source forum application designed to be fast, light
and user friendly. Version 1.3 of FluxBB, currently under development, adds
a powerful extension system.


Details
*******
FluxBB does not sufficiently sanitize images uploaded by users, leading to
a Cross-Site-Scripting vulnerability. The problem arises that IE uses mime-
sniffing to establish the file type when being confronted with an unknown
header; crafted image files can be falsely identified as text/html,
leading to a cross-site-scripting vulnerability.
In particular, many web applications use the incorrect mime-type image/bmp,
which triggers the described sniffing.
FluxBB in particular does no validation regarding the image’s file type.


Fix Information
***************
Update to newest version.

Timeline:
***********
April 30th 2009: Contacted Vendor
April 30th 2009: Vendor reaction
April 30th 2009: Vendor commits fix
May 28th 2009: Full Disclosure

References:
***********

http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589

http://bugs.php.net/bug.php?id=47359

http://fluxbb.org/downloads/dev.php


========================================================


Advisory : “Cross-Site Scripting” in Attachment uploads in SMF

Application: Simplemachines Forum
Vulnerable Versions: 2.0RC1; 1.0.x, <= 1.1.18
Reported By: Jacques Copeau

Note
***********
This advisory is part of a survey about vulnerable file uploads in forum
 software. The survey will be published after all vendors have fixed their
applications. We will publish no individual advisories, however we will
include the speed, quality of the fix along with the vendor reaction in
the survey.

Description
***********

Simple Machines Forum — SMF in short — is a free, professional grade
software package that allows you to set up your own online community
within minutes.
Its powerful custom made template engine puts you in full control of
the lay-out of your message board and with our unique SSI - or Server
Side Includes - function you can let your forum and your website
interact with each other.
SMF is written in the popular language PHP and uses a MySQL database.
It is designed to provide you with all the features you need from a
bulletin board while having an absolute minimal impact on the
resources of the server. SMF is the next generation of forum software
- and best of all it is and will always remain completely free!


Details
*******
SMF does not sufficiently sanitize images uploaded by users, leading to
a Cross-Site-Scripting vulnerability. The problem arises that IE uses mime-
sniffing to establish the file type when being confronted with an unknown
 header; crafted image files can be falsely identified as text/html,
 leading to a cross-site-scripting vulnerability.
In particular, many web applications use the incorrect mime-type image/bmp,
which triggers the described sniffing.
SMF does not perform sufficient sanitation on uploaded bmp files, allowing
the upload of such crafted files as attachment.


Fix Information
***************

Users of SMF 1.1 should update to SMF 1.1.19; users of SMF RC1 should
use the manual instructions to update to 2.0RC1.1.

Timeline:
***********
April 30th 2009: Contacted Vendor
May 4th 2009: Re-contacted Vendor due to no reaction
May 7th 2009: Vendor reaction
May 20th 2009: 1.1.19 released ; 2.0RC1 left vulnerable
May 27th 2009: Notified vendor about faulty fix
May 28th 2009: Vendor fixes packaging
May 28th 2009: Full Disclosure

References:
***********

http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589

http://bugs.php.net/bug.php?id=47359

http://www.simplemachines.org/

========================================================

Advisory : “Cross-Site Scripting” in file uploads in Phorum

Application: Phorum
Vulnerable Versions: <= 5.2.10
Reported By: Jacques Copeau

Note
***********
This advisory is part of a survey about vulnerable file uploads in forum
software. The survey will be published after all vendors have fixed their
applications. We will publish no individual advisories, however we will
include the speed, quality of the fix along with the vendor reaction in
the survey.

Description
***********

Started in 1998, Phorum was the original PHP and MySQL based Open Source
forum software. Phorum's developers pride themselves on creating message
board software that is designed to meet different needs of different web
sites while not sacrificing performance or features.

Details
*******
Phorum does not sufficiently sanitize images uploaded by users, leading to
a Cross-Site-Scripting vulnerability. The problem arises that IE uses mime-
sniffing to establish the file type when being confronted with an unknown
header; crafted image files can be falsely identified as text/html,
leading to a cross-site-scripting vulnerability.
In particular, many web applications use the incorrect mime-type image/bmp,
which triggers the described sniffing.
Phorum does not perform sufficient sanitation on uploaded files, allowing
the upload of such crafted files.


Fix Information
***************
Update to 5.2.11

Timeline:
***********
April 30th 2009: Contacted Vendor
May 7th 2009: Re-Contacted Vendor
May 8th 2009: Vendor response
May 22nd 2009: Vendor released 5.2.11
May 28th 2009: Full Disclosure

References:
***********

http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589

http://bugs.php.net/bug.php?id=47359

http://www.phorum.org/


========================================================

Advisory : “Cross-Site Scripting” in file uploads in WBB

Application: Woltlab Burning Board
Vulnerable Versions: WBB 3 <= 3.0.8; WBBlite <= 2.0.1
Reported By: Jacques Copeau

Note
***********
This advisory is part of a survey about vulnerable file uploads in forum
 software. The survey will be published after all vendors have fixed their
applications. We will publish no individual advisories, however we will
include the speed, quality of the fix along with the vendor reaction in
the survey.

Description
***********

Burning Board 3 is the modern, secure and user friendly solution
for your discussion board!

Details
*******
WBB  does not sufficiently sanitize images uploaded by users, leading to
a Cross-Site-Scripting vulnerability. The problem arises that IE uses mime-
sniffing to establish the file type when being confronted with an unknown
header; crafted image files can be falsely identified as text/html,
leading to a cross-site-scripting vulnerability.
In particular, many web applications use the incorrect mime-type image/bmp,
which triggers the described sniffing.
The WCF only filters for <script> html tags, which is not sufficient to
sanitize uploaded files.


Fix Information
***************

The issue is as of now unfixed in WBB; however php 5.3. and IE8 include
code to mitigate the issue.

Timeline:
***********
April 30th 2009: Contacted Vendor
May 7th 2009: re-Contacted Vendor
May 8th 2009: Vendor Response
May 28th 2009: Full Disclosure

References:
***********

http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589

http://bugs.php.net/bug.php?id=47359

http://www.woltlab.com/



========================================================

Advisory : “Cross-Site Scripting” vulnerabilities in MyBB Attachments

Application: MyBB
Vulnerable Versions: <= 1.4.5
Reported By: Jacques Copeau

Note
***********
This advisory is part of a survey about vulnerable file uploads in forum
 software. The survey will be published after all vendors have fixed their
applications. We will publish no individual advisories, however we will
include the speed, quality of the fix along with the vendor reaction in
the survey.

Description
***********

MyBB is a forum package full of useful and to-the-point features, helping
you to make administrating your bulletin board as easy as possible. We
highlighted some of MyBB's best capabilities, to show you why you
should choose MyBB over any other discussion board.


Details
*******
MyBB  does not sufficiently sanitize images uploaded by users, leading to
a Cross-Site-Scripting vulnerability. The problem arises that IE uses mime-
sniffing to establish the file type when being confronted with an unknown
header; crafted image files can be falsely identified as text/html,
leading to a cross-site-scripting vulnerability.
In particular, many web applications use the incorrect mime-type image/bmp,
which triggers the described sniffing.
MyBB uses the content-disposition:attachment header to defend against such
mime-sniffing. However, the IE6 browser does not respect that header to the
necessary extent; when clicking cancel upon visiting a malicious attachment,
all future visits will render the XSS vector.

Discussion
*******
The XSS renders only for visitors using the IE6 browser, and even then only
when cancelling the download.


Fix Information
***************

Update to myBB 1.4.5

Timeline:
***********
April 30th 2009: Contacted Vendor
May 1st 2009: Vendor response
May 4th 2009: MyBB 1.4.5 released
May 28th 2009: Full Disclosure


References:
***********

http://www.h-online.com/security/Risky-MIME-sniffing-in-Internet-Explorer--/features/112589

http://bugs.php.net/bug.php?id=47359

http://www.mybboard.net/