There are posts that says php mimetype isn't secure, or can be bypassed. How do people spoof the mimetype?
Asked
Active
Viewed 7,605 times
10
-
1Which function are you using to try and determine the type of the uploaded file? – Xander May 15 '13 at 00:43
-
PHP: mimetype($file) – h00j May 15 '13 at 06:57
-
There isn't any standard function called `mimetype`, do you mean `mime_content_type`? – bobince May 15 '13 at 08:37
-
Oh wait sorry its getimagesize – h00j May 15 '13 at 09:18
1 Answers
6
If you were creating the header on the upload request programmatically, you can declare the headers, etc. An explanation which includes some code samples.
You should go beyond the mime type and check the content. E.g., if you allow an image upload, do a conversion of the image on the server and do other checks as well.
You may want to check out this post on SO:
The "signature headers" help you to decide what kind of image format a file tries to impersonate. In a next step you could check if the rest of the contents are compliant with the underlying image format. This would guarantee you that the file is really an image file of that specific format.
You may also be interested in this article on GIFAR:
They call this type of file a GIFAR, a contraction of GIF and JAR, the two file types that are mixed. At Black Hat, the researchers will show attendees how to create the GIFAR while omitting a few key details to prevent it from being used immediately in any widespread attack.
To the Web server, the file looks exactly like a .gif file, however a browser's Java virtual machine will open it up as a Java Archive file and then run it as an applet. That gives the attacker an opportunity to run Java code in the victim's browser. For its part, the browser treats this malicious applet as though it were written by the Web site's developers.
