Content checks for inline attachments

[thomasb]

Contents of attachments (such as pictures) which are embedded in HTML (multipart/related) messages should be checked before sending them to the client.

Internet Explorer executes javascript code within images (!) if <script>... exists in content. It entirely ignores mimetype headers but does content sniffing.

This is a XSS vulnerability which exists when using Internet Explorer and is an attack that takes advantage of a bug which exists in the web browser.

Reproduction Procedure:

Disguise HTML which contains a SCRIPT tag as a picture file (.jpg, .gif, etc.) or create a picture file that contains a SCRIPT tag and attach it. Send this email and when this attachment is opened/viewed, the javascript is executed.

[alec]

See duplicate #1488020 for examples.

[Enrico204]

Possibile workaround for IE text/plain bug

[Enrico204]

I've attached a possibile workaround to clean attachment.

This bug is IE-related (<= 8), and it's fixed in IE9 only: Internet Explorer reads the file content ignoring the content-type served.

[thomasb]

@Enrico204: I'm sorry but your patch isn't a proper solution for this. While it may solve the issue of this ticket it will break some other use cases where people want to download (unmodified) attachments. Also it requires to load all attachment contents into PHP memory which may exhaust some resources and lead to errors. We had good reasons to circumvent output buffering and to pass attachments directly to the client line by line. All this has to be tanken into account when trying to solve this issue.

[alec]

A solution for memory issue would be stream wrapper (see stream_wrapper_register() function).

[thomasb]

Implemented in [57486f6e]

[alec]

Please read #1488020. This can be used for any attachments not only embed. An attacker can provide a link to attachment (or any message part) without _embed parameter.