Form-based File Upload
Info Web Application Scanning Plugin ID 98080
SynopsisForm-based File Upload
DescriptionThe design of many web applications require that users be able to upload files that will either be stored or processed by the receiving web server.
Scanner has flagged this not as a vulnerability, but as a prompt for the penetration tester to conduct further manual testing on the file upload function.
An insecure form-based file upload could allow a cyber-criminal a means to abuse and successfully exploit the server directly, and/or any third party that may later access the file. This can occur through uploading a file containing server side-code (such as PHP) that is then executed when requested by the client.
SolutionThe identified page should at a minimum:
1. Whitelist permitted file types and block all others. This should be conducted on the MIME type of the file rather than its extension. 2. As the file is uploaded, and prior to being handled (written to the disk) by the server, the filename should be stripped of all control, special, or Unicode characters. 3. Ensure that the upload is conducted via the HTTP `POST` method rather than `GET` or `PUT`. 4. Ensure that the file is written to a directory that does not hold any execute permission and that all files within that directory inherit the same permissions. 5. Scan (if possible) with an up-to-date virus scanner before being stored. 6. Ensure that the application handles files as per the host operating system. For example, the length of the file name is appropriate, there is adequate space to store the file, protection against overwriting other files etc.