Security Advisory: ZF2010-04

ZF2010-04: Potential MIME-type Injection in Zend_File_Transfer

Executive Summary

Zend_File_Transfer had a potential MIME type injection vulnerability for file uploads. In certain situations where either PHP's ext/finfo extension is not installed and the mime_content_type() function was not available on a system, Zend_File_Transfer would use the user provided value for the type embedded inside the $_FILES superglobal. Additionally, in cases where the functionality was available, but where a type could not be determined by one of them, Zend_File_Transfer would also fallback on the user provided type. Using user provided information for a file's MIME type in uploads is considered an insecure practice, as it provides attack vectors by malicious users.

Action Taken

This vulnerability has been fixed by returning application/octet in situations where the MIME type cannot be detected securely by PHP.

Recommendations

If you use this component, or other components that rely on it (e.g., Zend_Form_Element_File), we strongly recommend upgrading to the most current version of Zend Framework available, or one of the following versions.

• 1.9.7
• 1.8.5

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

• Pádraic Brady, who made the initial report and who worked with our team to ensure that the appropriate actions were taken.
• Thomas Weidner, who provided the patch used to resolve the issue issue tracker.

Released 2010-01-11

Back to advisories

• Overview
• Advisories
• Feed