Security Advisory

ZF2010-04: Potential MIME-type Injection in Zend_File_Transfer

Executive Summary

Zend_File_Transfer had a potential MIME type injection vulnerability for file uploads. In certain situations where either PHP's ext/finfo extension is not installed and the mime_content_type() function was not available on a system, Zend_File_Transfer would use the user provided value for the type embedded inside the $_FILES superglobal. Additionally, in cases where the functionality was available, but where a type could not be determined by one of them, Zend_File_Transfer would also fallback on the user provided type. Using user provided information for a file's MIME type in uploads is considered an insecure practice, as it provides attack vectors by malicious users.

Action Taken

This vulnerability has been fixed by returning "application/octet" in situations where the MIME type cannot be detected securely by PHP.

Recommendations

If you use this component, or other components that rely on it (e.g., Zend_Form_Element_File), we strongly recommend upgrading to the most current version of Zend Framework available, or one of the following versions.

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

back to advisories