2

Some security vulnerability scanners as Ratproxy detects a vulnerability called "MIME type mismatch on image file". Thanks to the CAPEC project we can see that Cross-Site Scripting Using MIME Type Mismatch is possible, but the explanation shown is not clear for me.

What I undestand is that where this vulnerability exist, it is possible to, for example, embed Javascript inside a PNG file, upload it to the site, and in some way execute the Javascript inside the PNG file.

Can you explain how exactly can an attacker exploit this kind of vulnerability with an example?

Is it needed that the web client (e.g. the browser) has also a vulnerability to exploit this web application vulnerability or it completely depends of the web application?

kinunt
  • 2,759
  • 2
  • 23
  • 30

1 Answers1

6

The problem is with the browser (or in the case of the linked CVE with Outlook).

The attack is as follows:

I create a file and send this file to the program with the MIME type image/png.

The browser ignores the MIME type and sniffs the content of the file (even I explicitly say that the file is of type image/png).

The browser determines (from sniffing) that the content type is text/javascript and handles it accordingly (as Javascript).

Therefore in my eyes this is a flaw in the browser because I clearly determined that the file is of another type.

Uwe Plonus
  • 2,267
  • 12
  • 14
  • 1
    See also: http://security.stackexchange.com/questions/32967/is-it-possible-to-execute-a-php-script-in-an-image-file and http://security.stackexchange.com/questions/32580/what-is-the-next-step-of-this-file-upload-attack – mr.spuratic Jun 28 '13 at 11:31
  • Investigating I have found that an important fact that is not present in this answer is that it is possible to have a file that is identified as a PNG file (for example, by having determined first bytes in header, like a magic number that identifies the file as PNG) and at the same time a file that is executed as Javascript by a browser. The vulnerability could exist 1) in the application that does not stored correctly the supposed MIME type of the file and 2) by the browser that sniffs the content and execute the file ignoring the MIME type – kinunt Jul 02 '13 at 12:24
  • @kinunt the main problem remains: the browser is sniffing and tries to determine the type from sniffing... – Uwe Plonus Jul 02 '13 at 12:33
  • @UwePlonus but just this could be considered a functionality because browsers implement this behaviour in order to be able to interpret files with incorrect MIME types. If one browser respects strictly the MIME type it won't be able to show some files and will be detrimental to it in favor of other browsers. Source: http://en.wikipedia.org/wiki/Content_sniffing – kinunt Jul 02 '13 at 12:39
  • @kinunt I don't think so. If one significant browser would start to not sniff, the script kiddies would develop sites with proper mime types... – inf3rno May 09 '14 at 22:39