Perhaps I don't know enough about how this works, but couldn't you use this to inject runnable javascript in to a page? If this is possible it's pretty scary as it would allow you to upload a hidden payload in to an otherwise innocent looking image.
I was able to add javascript code in there and it executed properly, but the browser won't parse the jpg as html unless I give it a .html filename extension. I don't see how this could be easily exploitable.
Is it possible for the file extension to say one thing and the MIME type to say something else? So the file extension could be .jpg (reassuring the user that it is only an image) but the HTTP response says it is text/html?
I think a similar exploit was used recently with .svg images - they can contain javascript (being XML) which will be executed by the browser. Not sure about the details however.
>I think a similar exploit was used recently with .svg images - they can contain javascript (being XML) which will be executed by the browser. Not sure about the details however.
However, the JavaScript shouldn't execute if the image is embedded via <img>.
Interesting thought but browsers should not interpret javascript inside an image. I would expect image rendering to be separated. Can someone with an expertise in browser design tell us how this actually works?
