ZF2010-04: Potential MIME-type Injection in Zend_File_Transfer
Zend_File_Transfer had a potential MIME type injection
vulnerability for file uploads. In certain situations where either PHP's
ext/finfo extension is not installed and the
mime_content_type() function was not available on a system,
Zend_File_Transfer would use the user provided value for the
type embedded inside the
$_FILES superglobal. Additionally,
in cases where the functionality was available, but where a type could not
be determined by one of them,
Zend_File_Transfer would also
fallback on the user provided type. Using user provided information for a
file's MIME type in uploads is considered an insecure practice, as it
provides attack vectors by malicious users.
This vulnerability has been fixed by returning "application/octet" in situations where the MIME type cannot be detected securely by PHP.
If you use this component, or other components that rely on it (e.g.,
Zend_Form_Element_File), we strongly recommend upgrading to
the most current version of Zend Framework available, or one of the
The Zend Framework team thanks the following for working with us to help protect its users:
- Pádraic Brady, who made the initial report and who worked with our team to ensure that the appropriate actions were taken
- Thomas Weidner, who provided the patch used to resolve the issue issue tracker
Reporting Potential Security Issues
If you have encountered a potential security vulnerability in Zend Framework, please report it to us at firstname.lastname@example.org. We will work with you to verify the vulnerability and patch it.
When reporting issues, please provide the following information:
- Component(s) affected
- A description indicating how to reproduce the issue
- A summary of the security vulnerability and impact
We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.
For sensitive email communications, please use our PGP key.
Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:
- We will patch the current release branch, as well as the immediate prior minor release branch.
- After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
- A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)