Unrestricted File Upload
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
Last revision (mm/dd/yy): 04/18/2010
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored.
There are really two different classes of problems here. The first is with the file metadata, like the path and filename. These are generally provided by the transport, such as HTTP multipart encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it.
The other class of problem is with the file content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved.
- The impact of this attack is high but the likelihood is low. So, the severity of this type of attack is Medium.
- The website can be defaced.
- The web server can be compromised by uploading and executing a web-shell which can: run a command, browse the system files, browse the local resources, attack to other servers, and exploit the local vulnerabilities, and so on.
- This attack can make the website vulnerable to some other types of attacks such as XSS.
- An attacker might be able to put a phishing page into the website.
- Local file inclusion vulnerabilities can be exploited by uploading a malicious file into the server.
- Local vulnerabilities of real-time monitoring tools such as an antivirus can be exploited by uploading a harmful file.
- A malicious file can be uploaded on the server in order to have a chance to be executed by administrator or webmaster later.
- The web server might be used as a warez server by a bad guy in order to be host of malwares, illegal software, steganographic objects, and so on.
Attacks on application platform
- Upload .jsp file into web tree - jsp code executed as web user
- Upload .gif to be resized - image library flaw exploited
- Upload huge files - file space denial of service
- Upload file using malicious path or name - overwrite critical file
- Upload file containing personal data - other users access it
- Upload file containing "tags" - tags get executed as part of being "included" in a web page
Attacks on other systems
- Upload .exe file into web tree - victims download trojaned executable
- Upload virus infected file - victims' machines infected
- Upload .html file containing script - victim experiences Cross-site Scripting (XSS)
Weak Protection Methods and Methods of Bypassing
Using Black-List for Files’ Extensions
Some web applications still use only a black-list of extensions to prevent from uploading a malicious file.
- It is possible to bypass this protection by using some extensions which are executable on the server but are not mentioned in the list. (Example: “file.php5”, “file.shtml”, “file.asa”, or “file.cer”)
- Sometimes it is possible to bypass this protection by changing some letters of extension to the capital form (example: “file.aSp” or “file.PHp3”).
- Using trailing spaces and/or dots at the end of the filename can sometimes cause bypassing the protection. These spaces and/or dots at the end of the filename will be removed when the file wants to be saved on the hard disk automatically. The filename can be sent to the server by using a local proxy or using a simple script (example: “file.asp ... ... . . .. ..“).
- In case of using insecure IIS6 (or prior versions), it might be possible to bypass this protection by adding a semi-colon after the forbidden extension and before the permitted extension (example: “file.asp;.jpg”).
- This protection can be completely bypassed by using the most famous control character which is Null character (0x00) after the forbidden extension and before the permitted one. In this method, during the saving process all the strings after the Null character will be discarded. Putting a Null character in the filename can be simply done by using a local proxy or by using a script (example: “file.asp%00.jpg”). Besides, it would be perfect if the Null character is inserted directly by using the Hex view option of a local proxy such as Burpsuite or Webscarab in the right place (without using %).
- It is also possible to create a file with a forbidden extension by using NTFS alternate data stream (ADS). In this case, a “:” sign will be inserted after the forbidden extension and before the permitted one. As a result, an empty file with the forbidden extension will be created on the server (example: “file.asp:.jpg”). Attacker can try to edit this file later to execute his/her malicious codes. However, an empty file is not always good for an attacker. So, there is an invented method by the author of this paper in which an attacker can upload a non-empty shell file by using the ADS. In this method, a forbidden file can be uploaded by using this pattern: “file.asp::$data.”.
- Sometimes combination of the above can lead to bypassing the protections.
Using White-List for Files’ Extensions
Many web applications use a white-list to accept the files’ extensions. Although using white-list is one of the recommendations, it is not enough on its own. Without having input validation, there is still a chance for an attacker to bypass the protections.
- the 3rd, 4th, 5th, and 6th methods of last section apply here as well.
- The list of permitted extensions should be reviewed as it can contain malicious extension as well. For instance, in case of having “.shtml” in the list, the application can be vulnerable to SSI attacks.
Using “Content-Type” from the Header
“Content-Type” entity in the header of the request indicates the Internet media type of the message content . Sometimes web applications use this parameter in order to recognize a file as a good one. For instance, they only accept the files with the “Content-Type” of “text/plain”.
- It is possible to bypass this protection by changing this parameter in the request header by using a local proxy.
Using a File Type Recogniser
Sometimes web applications intentionally or unintentionally use some functions (or APIs) to check the type of the file in order to do further process. For instance, in case of having image resizing, it is probable to have image type recogniser.
- Sometimes the recognisers just read the few first characters (or header) of the files in order to check them. In this case, an attacker can insert the malicious code after some valid header.
- There are always some places in the structure of the files which are for the comments section and have no effect on the main file. And, an attacker can insert malicious codes in these points.
- Also, it is not impossible to think about a file modifier (for example an image resizer) which produces malicious codes itself in case of receiving special input.
Related Technical Impacts
- Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/
- Microsoft IIS ASP Multiple Extensions Security Bypass http://secunia.com/advisories/37831/