Reliance on File Name or Extension of Externally-Supplied File |
Weakness ID: 646 (Weakness Variant) | Status: Incomplete |
Description Summary
Extended Description
An application might use the file name or extension of of a user-supplied file to determine the proper course of action, such as selecting the correct process to which control should be passed, deciding what data should be made available, or what resources should be allocated. If the attacker can cause the code to misclassify the supplied file, then the wrong action could occur. For example, an attacker could supply a file that ends in a ".php.gif" extension that appears to be a GIF image, but would be processed as PHP code. In extreme cases, code execution is possible, but the attacker could also cause exhaustion of resources, denial of service, information disclosure of debug or system data (including application source code), or being bound to a particular server side process. This weakness may be due to a vulnerability in any of the technologies used by the web and application servers, due to misconfiguration, or resultant from another flaw in the application itself.
Scope | Effect |
---|---|
Confidentiality | Information Leakage |
Availability | Denial of Service |
Access Control | Privilege Escalation |
There is reliance on file name and/or file extension on the server side for processing. |
Make decisions on the server side based on file content and not on file name or extension. |
Properly configure web and applications servers. |
Install the latest security patches for all of the technologies being used on the server side. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 345 | Insufficient Verification of Data Authenticity | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | Category | 442 | Web Problems | Development Concepts699 |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
209 | Cross-Site Scripting Using MIME Type Mismatch |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
2008-01-30 | Evgeny Lebanidze | Cigital | External Submission | |
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Relationships, Observed Example | ||||
2008-10-13 | CWE Content Team | MITRE | Internal | |
Significant clarification of the weakness description. | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Description, Name, Observed Examples, Relationships | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Related Attack Patterns | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Common Consequences | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-10-14 | Taking Actions based on File Name or Extension of a User Supplied File | |||