Thursday, 28 May 2015

Arbitrary or Unrestricted File Upload

Arbitrary or Unrestricted File Upload is a type of web application vulnerability which occurs due to improper validation of the file which is being uploaded on the server.
Suppose there is a website which allows users to upload image files with the extension like .jpg, .png, .gif and so on, but if the website is unable to properly verify the image file being uploaded, an attacker can take control over the whole website/server. This is especially true for files with the extension .php & .asp because they are automatically executed by the server.

So in this post I will be explaining you how this vulnerability is caused by studying the source code. This post has been written keeping in mind that you are new to this type of vulnerability, so examples which will be explained will be basic ones. Advanced example will be posted in PART 2 of this post.

The following is an HTML upload forum which allows pictures to be uploaded on the server.

<form action="upload.php" method="post" enctype="multipart/form-data">
Choose a file to upload:
<input type="file" name="filename"/>
<input type="submit" name="submit" value="Submit"/>
When the file is submitted, it is send to upload.php on the server. The file is been stored in a temporary location until it is retrieved by the server side code. So after the file is uploaded, it is sent to a permanent directory or location through upload.php
// Define the target location where the picture being
// uploaded is going to be saved.
$target = "pictures/" . basename($_FILES['uploadedfile']['name']);

// Move the uploaded file to the new location.
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target))
echo "The picture has been successfully uploaded.";
echo "There was an error uploading the picture, please try again.";
The problem with the above code is that, the file type is not verified which is being uploaded, as a result an attacker can upload a malicious file on the server.

Once the malicious file is uploaded on the server, arbitrary command execution is possible.

Well, a simple solution to patch this type of problem is to check for MIME type in the uploaded request.
if($_FILES['userfile']['type'] != "image/gif") {
      echo "Sorry, we only allow uploading GIF images";
Well this method too can be bypassed by the manipulation of Request Header allowing
What can be done instead is that use PHP functions to check that the file type is indeed of desired type, for example: ‘getimagesize()’ function of PHP takes a file name as an argument and returns the size and type of the image

TUT By ( )


Post a comment