Unsafe File Upload by Extension Filter Bypass
Overview
Description
If website has File Upload functionality for Profile picture, It should allow only Image file (like .jpg, .png), for Document, It should allow Document Types(like .pdf, .doc ).
If there is no file extension filter, attacker can upload any executable file(like .php, .jsp, .aspx) and can execute any code on server leading to comromize the server.
Unsafe File Upload Filters:
-
Client Side validation:
- Sometimes, The file extension is checked at the client-side only(In browser).
- In such a case, the attacker can intercept the packet and change the file to executable one or use CURL like a tool to craft the request with an executable file.
-
Blacklisting extensions:
- Developer may block extensions of executable files, like
.php , .jsp - These can be easily bypassed by attacker as,
.php5, .php7, .pht, .phtml, .shtml, .asa, .cer, .asax, .swf, or .xap - Sometimes Use of Upper case character in extension is useful to bypass the filter, like
file.pHp5 , file.aSpX
- Developer may block extensions of executable files, like
-
Content-Type Header Validation:
- HTTP Header has Content-Type field which tells the type of content like
Content-Type: image/jpeg,Content-Type: image/gif,Content-Type: application/pdf - This header can be easily modified by attacker by forging the request.
- HTTP Header has Content-Type field which tells the type of content like
Impact
- An attacker can take control of the server by uploading a shell on the server.
- An attacker can upload Phishing pages on site.
- An attacker can replace the sensitive file on a web-server.
Prevention
- Use whitelist for extension instead blacklist
- Always check the file at the server side before storing it; never filter only at the client-side.
- Store uploaded files outside the web-root folder, if possible.
- If uploaded file needed in web-root dir, make sure that the directory doesn't have any executable permission.