Zend_File_Transfer had a potential MIME type injection vulnerability for file
uploads. In certain situations where either PHP's ext/finfo extension is not
installed and the mime_content_type() function was not available on a system,
Zend_File_Transfer would use the user provided value for the type embedded
inside the $_FILES superglobal. Additionally, in cases where the functionality
was available, but where a type could not be determined by one of them,
Zend_File_Transfer would also fallback on the user provided type. Using user
provided information for a file's MIME type in uploads is considered an insecure
practice, as it provides attack vectors by malicious users.
This vulnerability has been fixed by returning application/octet in situations
where the MIME type cannot be detected securely by PHP.
If you use this component, or other components that rely on it (e.g.,
Zend_Form_Element_File), we strongly recommend upgrading to the most current
version of Zend Framework available, or one of the following versions.
The Zend Framework team thanks the following for working with us to help protect its users:
Released 2010-01-11
Have you identified a security vulnerability?
Please report it to us at zf-security@zend.com