Security Advisory
ZF2010-04: Potential MIME-type Injection in Zend_File_Transfer
Executive Summary
Zend_File_Transfer had a potential MIME type injection
vulnerability for file uploads. In certain situations where either PHP's
ext/finfo extension is not installed and the
mime_content_type() function was not available on a system,
Zend_File_Transfer would use the user provided value for the
type embedded inside the $_FILES superglobal. Additionally,
in cases where the functionality was available, but where a type could not
be determined by one of them, Zend_File_Transfer would also
fallback on the user provided type. Using user provided information for a
file's MIME type in uploads is considered an insecure practice, as it
provides attack vectors by malicious users.
Action Taken
This vulnerability has been fixed by returning "application/octet" in situations where the MIME type cannot be detected securely by PHP.
Recommendations
If you use this component, or other components that rely on it (e.g.,
Zend_Form_Element_File), we strongly recommend upgrading to
the most current version of Zend Framework available, or one of the
following versions.
- 1.9.7
- 1.8.5
Other Information
Acknowledgments
The Zend Framework team thanks the following for working with us to help protect its users:
- Pádraic Brady, who made the initial report and who worked with our team to ensure that the appropriate actions were taken
- Thomas Weidner, who provided the patch used to resolve the issue issue tracker
Reporting Potential Security Issues
If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.
When reporting issues, please provide the following information:
- Component(s) affected
- A description indicating how to reproduce the issue
- A summary of the security vulnerability and impact
We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.
For sensitive email communications, please use our PGP key.
Policy
Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:
- We will patch the current release branch, as well as the immediate prior minor release branch.
- After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
- A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)