Blog

Attachment Headaches with the Internet Explorer

Posted by Kellanved in Development, Modifications, Styles, Support with the tags , , on October 25th, 2008

Recently we got many bug reports about problems with the IE8 beta browsers. The problem is that we cannot accommodate beta browsers in our software – the next beta will break our adjustments. But why have we chosen to include some other IE8 features? The answer is simple: security

This post will give you insights into one of the more obscure security implications of file uploads.

Three browsers, two opinions.

Three browsers, two opinions.

The History so far

Back in 2006 a new kind of XSS vector started to circulate on the internet: HTML code in broken GIF pictures. For some reason, the Internet Explorer browser – then in version 6 – would render HTML in image files with an incorrect header. To have this behaviour, it was enough to visit the file directly, i.e. not the containing HTML page, with the browser – an attacker would have to make the victim click a link.

Such files could be files with the .gif extension featuring a png header in the file. Or it could be just plain broken image files. phpBB2 and 3 were inoculated against this sort of attack by using the getimagesize function to make sure that the file contents agrees with the extension. All was considered to be good.

However in early 2007, we were notified by ahingert about an interesting phenomenon: IE also rendered HTML in broken files with a valid png header and the .png extension. Even worse, research by Pit unveiled that completely valid .png files would be treated as HTML, if the bytepattern resembled certain HTML tags. We found out that this behaviour was not limited to png files, but also affected almost all image extensions other than .gif and .jpg and – alarmingly – .txt.

Faced with this discovery, we implemented radical changes in phpBB3. In earlier versions, avatars and attachments (if publicly readable) were delivered directly by the server without using a php instance. Faced with the security hazard posed by this practice, we removed the direct delivery and instead forced all files, including avatars, to be delivered via the attachment system. To tighten this up, we changed the naming scheme of the files on the server to stop attackers from guessing them.

Moreover we changed the headers: for IE users all files are delivered with the attachment content-disposition to hinder them from rendering in the page context. So, if you wonder why avatars have weird names on the server: that’s why.

Naturally, we also investigated the reason behind it. We quickly found out that we were experiencing a feature: Mime sniffing. Sadly, the documentation provided by MS turned out to be almost completely incorrect.

We contacted Microsoft about the issue. Techie-Micheal exchanged several letters with the MS security staff, who silently – without any mention in docs or patchday announcements – disabled mime sniffing for png files.

We went even further with the release of phpBB 3.0.2. Using a list of strings able to cause mime sniffing compiled by Nicolas Grekas and double checked by ourselves, we added the option to block all uploads that would be seen as HTML by IE. The forbidden byte patterns are:

Code: Select all
<!–

As we were not the only web developers having trouble with uploads, but had our resentments echoed by MediaWiki and others, MS finally added a proprietary header to disable mime sniffing in IE8 Beta 2.

Nice text, but can you give us an example?

Sure. You can even easily make one yourself :

Code: Select all
alert('mime sniffing in action'); // -->

Save that as .txt file, upload it to your server and visit it with different browsers. Note the difference?

To really show the difference: click this image with IE (and another browser for comparison)

Scary, isn't it?

Scary, eh?

What happens? Well, the image’s byte pattern in the first 255 bytes happens to be exactly like certain HTML tags, despite also being a valid bitmap. IE sees that and decides to handle the “image” as html. IE does this, because it doesn’t know how to handle the “image/bmp” content-type sent by our server. However, that (arguably incorrect) type is sent by default apache and php installations for bmp files.

What can you do about it

Let’s start with the good news: if you limit the uploads to png, gif and jpeg and validate with getimagesize, you should be fine. Otherwise, you have to jump through many hoops.

Internet Explorer 6

This is the worst case. To stop IE6 from doing terrible mistakes, you have to be rather restrictive.

  • Use getimagesize to make sure that file and mime type agree
  • Set the content-disposition: attachment header
  • Completely forbid any caching from happening (otherwise the back button will lead to XSS)
  • Try to avoid uploads containing HTML tags.
  • Stop users from accessing images directly; wrap them in HTML img tags.
  • If the IE version is unpatched, it will also do funny things with .png – beware

The phpBB attachment handling will do all this for you.

Internet Explorer 7

IE 7 behaves somewhat nicer, as we are able to allow caching. Otherwise it is still not pretty:

  • Use getimagesize to make sure that file and mime type agree
  • Set the content-disposition: attachment header
  • Stop users from accessing images directly; wrap them in HTML img tags.
  • Try to avoid uploads containing HTML tags.
  • If the IE version is unpatched, it will also do funny things with .png – beware

The phpBB attachment handling will do all this for you here as well.

Internet Explorer 8

Okay, IE8 Beta2 has new headers. This is the one feature of IE8 we are already using, as we trust the IE team to keep it and because it vastly improves the usability.

  • Use getimagesize to make sure that file and extension agree
  • Add authoritative=true to the Content-Type header. i.e.
    Code: Select all
    Content-Type: text/plain; authoritative=true
  • Set the “X-Download-Options: noopen” header for all non-image files to stop IE from rendering HTML in context.

This will be part of the next phpBB 3.0 release

Is there any other way?

For image files there is one other useful precaution: use GD or imagemagick to remake the image files in a “safe” format like jpg. The advantage is that you can will not have to do awkward header setting on the file delivery. The downside is that you will expose these applications/libraries to attackers. If you chose to use this defense, make sure that your server setup is always up-to-date. Another problem is: these tools are not available on all hosts.

For text files, possibly the file type nobody wants to render as HTML, there is also the option of buffering the files with 256 bytes of “safe” data.

UPDATE: heise security now has an article by yours truly about the matter. The English version still needs some polish, I am not sure when I will get aorund to it.

40 Responses to “Attachment Headaches with the Internet Explorer”

Posted by rma-web on October 25th, 2008 at 9:14 pm:

wow, thats scary. i dont know why people use IE anymore, firefox is a lot safer to use.

Posted by mtotheikle on October 25th, 2008 at 10:22 pm:

Just anther reason why people should not be using IE and Microsoft should give up in the browser race.

Posted by OdenGod on October 26th, 2008 at 1:24 am:

wow…
MS….

Posted by JimA on October 26th, 2008 at 7:13 am:

Nice post. :D

This shows again that IE is not a nice browser to use, but it is also not a very secure browser.

Posted by Ger on October 26th, 2008 at 7:25 am:

Those are a bit silly responses. I agree in IE being a stupif browser, but you can’t force your visitors to use an alternative browser. First of all has everbody the freedom to use the browser they like, and second: there are many people outthere who are just happy to have a computer and know the basics of using it whitout smoke coming out of every hole. They use IE because it’s a standard feature, searching for another browser is just scary for them.

Therefore, you MUST make a website compattible with it. Painstaking at times, but you just can’t ignore it. Forcing people not to use IE is just as bad as forcing people to use it. I always build my pages for Opera, check it in Fx and then for IE7 and IE6. Last one is a pain in the ass sometimes and absolete as hell, but still can’t be ignored.

Posted by JimA on October 26th, 2008 at 11:03 am:

No, that’s right, you can’t ignore IE because (sadly) most of the people on the internet are using it. But with this kind of things Microsoft is doing very stupid, they are creating security holes themselves, and who have to fix is? Yes, the software creaters.

In every single new Internet Explorer version Microsoft promised to use the W3C web standards, is it really that difficult to do?

Posted by c4gamerz on October 27th, 2008 at 2:47 pm:

Really useful article. Now i doubt about other cms, blogging and forum softwares security! I hope they are also working on this issue.

Posted by Martin Truckenbrodt on October 27th, 2008 at 6:43 pm:

Hello,
I’m not married with MS, but I want to say: To find a bug or a security hole always is the frist step. And always to fix the problem is the second step. Generally MS really is not the slowest company in publishing security fixes. Here MS is in the good midrange.
Another other: As more people a re using a product as more focus is to it. So the problem is well kown and you can try to live with it. as good as possible. Are you really sure that it’s only related to MS?
As I understand it correctly it’s not rellay a great security problem, too.
And it’s our decision to allow file uploads to our webservers and webspaces!
Bye Martin

Posted by mrGTB on October 28th, 2008 at 12:28 am:

Posted by: rma-web

wow, thats scary. i dont know why people use IE anymore, firefox is a lot safer to use.

——————————

The reason why most people use IE is because it comes with Windows by default to use as your browser, the average user out there is not interested in installing another browser, when they can already browse the web no problem with IE out the box.

I use IE as my default browser, I do have FF, Opera, and Safari installed (for site validation reasons only). But I would much sooner still use IE for browsing purposes.

Posted by Techie-Micheal on October 28th, 2008 at 12:39 am:

Martin:

The problem is that Microsoft wrongly assumes that an image is HTML just because it contains HTML content. Sure, you could disallow uploads, but it is Microsoft that is handling things incorrectly by saying an image file is HTML when the webserver says it is an image file.

Posted by Kellanved on October 28th, 2008 at 10:21 am:

Martin: The issue is not bug in an MS program, it is a documented feature.

Posted by Pasqualle on October 29th, 2008 at 2:55 pm:

you can easily force your visitors to use an alternative browser. I wonder why this option is not built into open source softwares yet.

Posted by EXreaction on October 29th, 2008 at 6:45 pm:

I am not sure if I agree with blocking files with html in them completely from being uploaded.

This can make it more difficult for legitimate usage of file uploads (such as uploading an html file so others can take a look at it/help someone with some html code/etc). Though it can be gotten around by archiving the html files before uploading, honestly I say screw IE users. If fixing a security vulnerability for one browser causes the loss of abilities for everyone just leave it and tell the makers of the browser to fix it. If they don’t fix it then it is their problem.

Posted by Martin Truckenbrodt on October 29th, 2008 at 7:17 pm:

Hello Techie-Micheal,
so “our” software has to check it(, too). It’s always a good security feature for “our” software, too.
It’s always better and more effective as waiting for new IE releases and updates or for “more intelligent” inernet users. ;)
Bye Martin

Posted by Ger on October 29th, 2008 at 7:18 pm:

Posted by Pasqualle on October 29th, 2008 at 2:55 pm:

you can easily force your visitors to use an alternative browser. I wonder why this option is not built into open source softwares yet.

***

What the… Are you kidding? Force my visitors to download, install and learn to use an alternative browser? No way! I’ll loose half of my visitors that way.

Posted by Techie-Micheal on October 29th, 2008 at 9:42 pm:

Martin:

Sorry, but I am not sure what you are getting at. Are you saying that it is better for phpBB to implement these checks instead of waiting for Microsoft to fix the problem? If so, I agree. ;)

Posted by Smithsonian! on October 29th, 2008 at 10:18 pm:

You absolutely can not force someone to use a browser.
Anyways, It is a good security feature. Why would you have html in an image file anyways (unless you were doing something malicious)?

PNG needs the png encoding, not html
GIF needs the gif encoding, not html

and so on

If someone can think of a reason, then tell me.

Posted by Pasqualle on October 30th, 2008 at 1:25 am:

Force my visitors to download, install and learn to use an alternative browser?

***
Yes, that is exactly what I am saying..

Posted by Martin Truckenbrodt on October 30th, 2008 at 7:01 pm:

Hi Techie-Micheal,
yes, you understood me correctly! :)

One other point to the discussion:
A file type is not only declared by the file ending!
To use only this feature is very risky! You have to opne the file and to look what is behind the file ending! Some bytes form the beginnign of the file are enough!
One other example: With USB Device Blocker Software can allow the transmitting of selected file types . Good software looks for the first bytes of the file. Bad software only uses the file ending. So, if .mdb files are not allowed: Just rename the file and copy it!
So why not ot say: If the file contains html code, why not to display it? So I want to say the job of looking for malicious code have not to be the job of a browser. On a home desktop it’s the job of the webfilter contained in a Personal Internet Security suite. In a company LAN it has to be the job a webfilter included in the proxy server or at least in the SoHo firewall NAT router.
Bye Martin

Posted by Stan Gobien on November 3rd, 2008 at 6:44 pm:

Martin and others,

It is a security risk and plain stupid.
Have you read the article ? Have you clicked the link to the image file ? http://www.phpbb.com/blog/wp-content/uploads/2008/10/hi.bmp

That file is a legitimate image file for these reasons:
- It has the correct extension
- It has the correct header in the beginning of the file
- It even completely renders as valid image code.

So in every way it is a perfectly normal image file.
But someone very clever made the pattern of the image code exactly like the ascii pattern of HTML code. So even though there are 3 perfectly good reasons why this is an image file, Microsoft decides it’s a HTML file and executes the HTML (and Javascript in it).

We are just lucky that this cannot be exploited inline (in a webpage) or websites would be hacked and defaced everywhere. Can you imagen it ? You view an avatar or signature of someone on the page, and whoops their goes your cookie with session and password information inside of to a hacker.

Luckily for us phpBB has taken great care in preventing stuff like this from ever happening, by really securing the cookies and the sessions, and the attachment system.

regards

Posted by Techie-Micheal on November 4th, 2008 at 3:50 am:

Martin:

I think I can safely say that the devs are very much aware that you cannot trust the file extension to specify the filetype.

Also, you cannot rely on the user having a filter on their computer, or a company having a filter on their network. Also, looking at the first few bytes of a file is not enough, as that’s how things like what Kellanved explained happen.

Posted by Psikoloji on November 4th, 2008 at 6:40 pm:

woow, thats scary… i dont know why people use IE anymore, firefox is a lot safer to use..

Posted by Martin Truckenbrodt on November 5th, 2008 at 6:42 pm:

Hello,
so what’s the result?
It’s a general problem and “we” (phpBB) have the need to include security mechanisms, too. Not only for IE. For all users or visitors of our boards! ;)

Bye Martin

Posted by Steven on November 14th, 2008 at 7:16 am:

Wow, what is wrong with Microsoft? Really, you display images as images, html as html. I’m appalled.

I’m all for forcing my users to switch to Firefox, but really, is there a 100% way to detect the “baddies?” If there truly was, I’d jump at the chance to make the internet a better place. I wouldn’t block them completely: dumbing down the page with a lovely hot pink (oh yeah!) background and displaying multiple ads for Firefox should do the trick.

Posted by Ger on November 14th, 2008 at 3:28 pm:

Yeah, that should really do the trick to piss me off…

For instance: right now I’m behind a public computer, only browser installed is IE7 and since it’s public, I have no rights to install Fx, Opera, or whatsoever. But when I should Google now and find you lovely hot pink background filled with Fx ads, no matter how much I like Fx myself, I would hit the “back”-button and search for another site wich is acceptable for me. Congratulations, you’ve just scared off a potential visitor/member.

Also, I really HATE sites with javascript alertboxes telling me I’m using an stone-age browser. I already know that, but since it’s a public computer I can’t really do anything about it so don’t bug me. If I get too irritated, there are loads of alternative websites that don’t bug me so again, you lost a visitor/member.

No I’m not very unique: most schools, offices and public networks just use a standard Microsoft install and the users browsing from there don’t have the choice to install an alternative browser.

So don’t bug them with irritating tricks.

Posted by Techie-Micheal on November 14th, 2008 at 4:29 pm:

Martin:

Nobody is suggesting that you shouldn’t have security for other things … This is simply an example of extra protection needed because Microsoft doesn’t handle things correctly.

Posted by Steven on November 14th, 2008 at 11:34 pm:

Ger,

I understand where you are coming from; however, I thought it was clear we are talking about phpBB. Registered users shouldn’t and will never have to deal with anything annoying.

I also thought 99% of the population had heard of flash drives as well…

Posted by Ger on November 16th, 2008 at 8:05 am:

Steven,

You didn’t say it’s for unregistered users only. ;)

But still: the first time I’ll visit your site, I’m unregistered. When I’m unregistered, I should feel welcome, I should want to stay and vistit your site more often, eventually registering. If a site has flashy pink backgrounds, it doesn’t really encourage me. ;)

About flash drives: yep, I have them, multiple ones. And nope, I can’t execute from it on the company network (I’ve tried that with Folding@home and with N++ once). Besides, do you really think the majority of people will install all of his own software on s flash drive because otherwise they might encouter websites that don’t work?

Posted by Techie-Micheal on November 17th, 2008 at 12:43 pm:

No, but they might want to run firefox on their flash drive for privacy. :P

Posted by naderman on November 22nd, 2008 at 5:19 pm:

If every site blocked Internet Explorer I’m pretty sure even those places described in earlier comments would soon switch to alternative browsers because everyone would complain about the browser. But even though imagining this feels great, it won’t happen ;-)

Posted by digioz on November 24th, 2008 at 12:27 am:

Wow! Now that is shocking and very VERY scary! I do not understand why Microsoft doesn’t take care of security holes like this. :(

Posted by James on December 13th, 2008 at 7:55 pm:

I think Microsoft would make more money if they distributed Firefox with their OS.

The licensing on that would be absolutely crazy, though.

Posted by Ashok on December 16th, 2008 at 5:31 am:

Hello,

We are facing the exact same problem in our application and security testers are raising hell, despite our protests that it is an MS/IE issue, and not our coding issue.

Now my question is: Has Microsoft accepted anywhere that this is their problem and has a fix been provided? Would be glad of any help.

Thanks,
Ashok

Posted by Kellanved on December 16th, 2008 at 12:38 pm:

Ashnok, as stated above: MS does consider it a feature. Ie8 improves matters a bit, but that doesn’t solve the issue of existing IE6 and IE7 installs.

The feasible ways are either very strict validation, i..e filtering out content that might get treated as HTML or – if it’s just images – to stick to harmless formats and/or sanitize them by using GD.

~H

Posted by Sam on December 30th, 2008 at 8:12 am:

No one seems to have mentioned it yet, but this is considered a feature because of the many web servers/web apps which spit out incorrect MIME types for files. Worse, many are either unchangable (i.e. the web software is out of reach for the user, e.g. hosted stuff), or requires a code change.

It is no excuse, but it gave a better user experience, particularly back in the day when this occurred much more often than now.

The implementation is far from perfect though, and isn’t really needed nowadays anymore, especially with the proliferation of alternate browsers without this behaviour.

BTW, in IE8 files sent with an image MIME type will be rendered as an image, no matter what.

Posted by Alex on January 5th, 2009 at 4:05 pm:

I with the block IE users all together hope,
Just make a code that detects what browser that they are using and if its IE, loads of Mozilla Firefox and Google Chrome advertisments would be displayed, all in Encrypted HTML Code to avoid content filters.
Companies and Schools should learn to use decent software, like Chrome or Firefox.
I know that this has very little to do with the subject, but Schools and Universities also always use Windows Server 2003, which means that they will be limited to use ASP aplications.

Posted by madd74 on January 19th, 2009 at 11:20 pm:

Not to mention, I am on a work computer. While FF gets installed to all 4+ of my home computers, my work computer is stuck in the crazy world of IE6.

So your attempt to ad “loads and loads” of ads for browser upgrades are not going to work. Also, what happens when I am on someone else’s computer?

So while all of you attempt to talk about how you would “force” people, in ultimate, what you are going to do is force some people away from your site, because you are not letting me look at that site on a dominate computer (in my case, my work computer, that can barely go places as it is with all the filters I run across).

There is a reason there are 8+ different browsers out there. It is the same reason that everyone isn’t forced to shop at Wal-Mart for all of their shopping, or everyone get gas at QT (or whatever is the norm for your area).

Posted by Alex Stubbins on June 3rd, 2009 at 4:37 pm:

You know what. You should not have to make websites work for 1 web browser. Web browsers are supposed to be made to work with website, and not the other way around.

Posted by Marlon on January 10th, 2010 at 5:45 am:

Internet Explorer 8 is really good. This browser is very very stable and i have been using it for quite a while without blue screens or crashes.

Posted by Party Rentals on June 21st, 2010 at 3:34 pm:

Whatever we do we do in order to please our visitors and customers, forcing them to do something won’t bring success. If I was a visitor and someone would try to force me something I would turn my face away and never return back.

Commenting is disabled for this blog post