| VID |
210006 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
An indicator of file upload capability was found on the Web server. File upload capability allows web users to send a file from their computers to the web server. If the web application that receives the file does not carefully examine it for malicious content, this could allow an attacker from uploading a malicious file on the server. File upload introduces several threats to the application as follows:
1. Malicious Content: A user might be able to bypass security restrictions and upload an executable file. This file could be a cmdasp.asp file that lets the user run arbitrary commands on the IIS server. It could also be a PHP file that simply uses the passthru function to run arbitrary commands on the web server. Alternately, the file may contain a virus or Trojan horse that is intended to attack another user.
2. File Overwrite: A user might be able to overwrite a system file such as httpd.conf, /etc/passwd, or .htaccess in order to create a back door into the server. Or, the user could overwrite a file within the web document root such as login.pl in order to gather usernames and passwords or perform some social engineering trick.
3. Denial of Service: A user might be able to upload excessively large files that either cause the application to crash or fill up the server's disk space.
* Note: This check solely relied on existence of the indicator of file upload capability on the remote Web application to assess this vulnerability, so this might be a false positive.
* Platforms Affected:
Any HTTP server Any version
Any operating system Any version |
| Recommendation |
Have a developer ensure that the following recommendations are taken to sanitize the file being received:
- Restrict the size of the file to be uploaded.
- Restrict file types, and verify that the uploaded file contains appropriate content.
- Restrict the user to uploading to a specified directory on the web server. Do not place the file in a directory accessible by web users. It is preferable for the destination directory to be outside of the web root.
- Do not allow user input to specify the destination directory or file name of uploaded files.
- Do not allow execute permissions on uploaded files.
- Enable virus scan on the destination directory.
- Log information about each upload, like uploader's IP address, hostname, browser & operating system. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
