Web Application Security
File Upload with changed extension Dec 02 2014 06:44PM
Jyotiranjan Acharya (jyotiranjan121 gmail com) (2 replies)
Re: File Upload with changed extension Dec 04 2014 01:25AM
Michal Zalewski (lcamtuf coredump cx) (1 replies)
Re: File Upload with changed extension Dec 04 2014 12:26PM
Robin Wood (robin digi ninja)
Re: File Upload with changed extension Dec 03 2014 01:42AM
Guillermo Caminer (flaco webappsec gmail com) (1 replies)
Hi!

There could be a risk involved, if:
1) The image is uploaded inside the Document Root
2) Have some malicious code inside (ex: a php shell) that is not validated
3) The Web Server somehow executes this malicious code (for example, you can put php code inside a
GIF, after the magic number, and the web app include/require this file in a php script, then the php
engine will execute the php code when it sees the php opening tag, even if it's inside the image)

Also, beware of the null byte, or example, can you upload a filename like this phpShell.php%00.jpg?

The best practice is:
a) Always upload outside the DocRoot
b) Do not trust Content-type and filename headers nor the magic number
c) Validate the content of the file
d) Scan the file with an antivirus
e) Be careful if you include/require the file

Hope it helps!

Best regards.

On 02/12/14 15:44, Jyotiranjan Acharya wrote:
> If you are able to upload a file with a changed extension, then will
> that be a problem?
> For example, you can not ,in any way, upload a .exe or .php/.jsp/.asp
> file directly into a web App, but you can by changing their extension
> to .JPG. What is the risk in such a case?
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: File Upload with changed extension Dec 03 2014 09:44AM
Tobias Wassermann (mail tobias-wassermann de) (1 replies)
Re: File Upload with changed extension Dec 03 2014 03:29PM
Seth Art (sethsec gmail com) (1 replies)
Re: File Upload with changed extension Dec 04 2014 12:21AM
Paul Burbage (paul k burbage gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus