Bypassing a Magic Number Check for Code Injection (10000 USD)

We discussed this vulnerability as part of our weekly podcast on 14 September 2021

Easy vulnerability that shows how checking the magic numbers of a file isn’t always sufficient. For some types of files all that matters is that the processor can detect its own content within another file. PHP is an example of this, it doesn’t care how the file starts or ends, just that it can find the <?php tags and code to run.

In this attack the author was able to bypass a file-upload filter that checked the magic number (first few bytes of a file) to ensure it was an image by uploading a corrupted image that also contained PHP within it. Its a classic trick, but its great to see it still alive and kicking.

Mitigation

While we don’t know what application this vulnerability was found in to discuss the patch keeping any sort of user content outside of the web-root is a good starting place, and not running language processors on requests to what should be static files.