Unrestricted Upload of File with Dangerous Type |
Weakness ID: 434 (Weakness Base) | Status: Draft |
Description Summary
Unrestricted File Upload: | The "unrestricted file upload" term is used in vulnerability databases and elsewhere, but it is insufficiently precise. The phrase could be interpreted as the lack of restrictions on the size or number of uploaded files, which is a resource consumption issue. |
---|
Languages
ASP.NET: (Sometimes)
PHP: (Often)
Language-independent
Architectural Paradigms
Web-based
Technology Classes
Web-Server: (Sometimes)
Scope | Effect |
---|---|
Integrity | Technical Impact: Execute unauthorized code or commands Arbitrary code execution is possible if an uploaded file is interpreted and executed as code by the recipient. This is especially true for .asp and .php extensions uploaded to web servers because these file types are often treated as automatically executable, even when file system permissions do not specify execution. For example, in Unix environments, programs typically cannot run unless the execute bit is set, but PHP programs may be executed by the web server without directly invoking them on the operating system. |
Example 1
The following code intends to allow a user to upload a picture to the web server. The HTML code that drives the form on the user end has an input field of type "file".
Once submitted, the form above sends the file to upload_picture.php on the web server. PHP stores the file in a temporary location until it is retrieved (or discarded) by the server side code. In this example, the file is moved to a more permanent pictures/ directory.
The problem with the above code is that there is no check regarding type of file being uploaded. Assuming that pictures/ is available in the web document root, an attacker could upload a file with the name:
Since this filename ends in ".php" it can be executed by the web server. In the contents of this uploaded file, the attacker could use:
Once this file has been installed, the attacker can enter arbitrary commands to execute using a URL such as:
which runs the "ls -l" command - or any other type of command that the attacker wants to specify.
Example 2
The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The HTML code is the same as in the previous example with the action attribute of the form sending the upload file request to the Java servlet instead of the PHP code.
When submitted the Java servlet's doPost method will receive the request, extract the name of the file from the Http request header, read the file contents from the request and output the file to the local upload directory.
As with the previous example this code does not perform a check on the type of the file being uploaded. This could allow an attacker to upload any executable file or other file with malicious code.
Additionally, the creation of the BufferedWriter object is subject to relative path traversal (CWE-22, CWE-23). Depending on the executing environment, the attacker may be able to specify arbitrary files to write to, leading to a wide variety of consequences, from code execution, XSS (CWE-79), or system crash.
Reference | Description |
---|---|
CVE-2001-0901 | Web-based mail product stores ".shtml" attachments that could contain SSI |
CVE-2002-1841 | PHP upload does not restrict file types |
CVE-2005-1868 | upload and execution of .php file |
CVE-2005-1881 | upload file with dangerous extension |
CVE-2005-0254 | program does not restrict file types |
CVE-2004-2262 | improper type checking of uploaded files |
CVE-2006-4558 | Double "php" extension leaves an active php extension in the generated filename. |
CVE-2006-6994 | ASP program allows upload of .asp files by bypassing client-side checks |
CVE-2005-3288 | ASP file upload |
CVE-2006-2428 | ASP file upload |
Phase: Architecture and Design Generate your own filename for an uploaded file instead of the user-supplied filename, so that no external input is used at all. |
Phase: Architecture and Design Consider storing the uploaded files outside of the web document root entirely. Then, use other mechanisms to deliver the files dynamically. |
Phase: Architecture and Design Define a very limited set of allowable extensions and only generate filenames that end in these extensions. Consider the possibility of XSS (CWE-79) before you allow .html or .htm file types. |
Phase: Implementation Strategy: Input Validation Ensure that only one extension is used in the filename. Some web servers, including some versions of Apache, may process files based on inner extensions so that "filename.php.gif" is fed to the PHP interpreter. |
Phase: Implementation When running on a web server that supports case-insensitive filenames, ensure that you perform case-insensitive evaluations of the extensions that are provided. |
Phase: Implementation Do not rely exclusively on sanity checks of file contents to ensure that the file is of the expected type and size. It may be possible for an attacker to hide code in some file segments that will still be executed by the server. For example, GIF images may contain a free-form comments field. |
Phase: Implementation Do not rely exclusively on the MIME content type or filename attribute when determining how to render a file. Validating the MIME content type and ensuring that it matches the extension is only a partial solution. |
Ordinality | Description |
---|---|
Primary | This can be primary when there is no check at all. |
Resultant | This is frequently resultant when use of double extensions (e.g. ".php.gif") bypasses a sanity check. This can be resultant from client-side enforcement (CWE-602); some products will include web script in web clients to check the filename, without verifying on the server side. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 429 | Handler Errors | Development Concepts (primary)699 |
ChildOf | Category | 632 | Weaknesses that Affect Files or Directories | Resource-specific Weaknesses (primary)631 |
ChildOf | Weakness Class | 669 | Incorrect Resource Transfer Between Spheres | Research Concepts (primary)1000 |
ChildOf | Category | 714 | OWASP Top Ten 2007 Category A3 - Malicious File Execution | Weaknesses in OWASP Top Ten (2007) (primary)629 |
ChildOf | Category | 801 | 2010 Top 25 - Insecure Interaction Between Components | Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)800 |
PeerOf | Weakness Base | 351 | Insufficient Type Distinction | Research Concepts1000 |
PeerOf | Weakness Base | 430 | Deployment of Wrong Handler | Research Concepts1000 |
PeerOf | Weakness Base | 436 | Interpretation Conflict | Research Concepts1000 |
CanFollow | Weakness Class | 73 | External Control of File Name or Path | Research Concepts1000 |
CanFollow | Weakness Base | 183 | Permissive Whitelist | Research Concepts1000 |
CanFollow | Weakness Base | 184 | Incomplete Blacklist | Research Concepts1000 |
This can have a chaining relationship with incomplete blacklist / permissive whitelist errors when the product tries, but fails, to properly limit which types of files are allowed (CWE-183, CWE-184). This can also overlap multiple interpretation errors for intermediaries, e.g. anti-virus products that do not filter attachments with certain file extensions that can be processed by client systems. |
PHP applications are most targeted, but this likely applies to other languages that support file upload, as well as non-web technologies. ASP applications have also demonstrated this problem. |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Unrestricted File Upload | ||
OWASP Top Ten 2007 | A3 | CWE More Specific | Malicious File Execution |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
122 | Exploitation of Authorization |
Richard Stanway (r1CH). "Dynamic File Uploads, Security and You". <http://shsc.info/FileUploadSecurity>. |
Johannes Ullrich. "8 Basic Rules to Implement Secure File Uploads". 2009-12-28. <http://blogs.sans.org/appsecstreetfighter/2009/12/28/8-basic-rules-to-implement-secure-file-uploads/>. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Alternate Terms, Relationships, Other Notes, Taxonomy Mappings | ||||
2009-01-12 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Applicable Platforms, Functional Areas, Likelihood of Exploit, Potential Mitigations, Time of Introduction | ||||
2010-02-16 (Critical) | CWE Content Team | MITRE | Internal | |
converted from Compound Element to Weakness |