Unrestricted File Upload
Description
This application allows unrestricted file uploads without proper validation of file types, content, or extensions. When file upload functionality fails to verify what users are uploading, attackers can upload malicious executable files (such as web shells or scripts) to the server. Invicti successfully uploaded a file containing executable code and confirmed that the server executed it, demonstrating that an attacker could gain unauthorized code execution capabilities on the system.
Remediation
Implement comprehensive file upload validation using a defense-in-depth approach:
1. Validate file types using a whitelist: Only accept explicitly approved file extensions and MIME types. Reject all others by default.
// Example whitelist validation
allowedExtensions = ['.jpg', '.png', '.pdf']
allowedMimeTypes = ['image/jpeg', 'image/png', 'application/pdf']
if (fileExtension not in allowedExtensions or mimeType not in allowedMimeTypes) {
reject upload
}2. Verify file content: Don't rely solely on extensions or MIME types. Validate the actual file content matches the expected format using file signature verification (magic numbers).
3. Sanitize filenames: Remove or replace special characters, check for double extensions (e.g., .php.png), and validate files without names (e.g., .htaccess, web.config).
4. Store uploaded files securely: Save files outside the web root directory when possible, or in a dedicated upload directory with execute permissions disabled. Configure the web server to prevent script execution in upload directories.
5. Rename uploaded files: Generate random filenames to prevent direct access and path traversal attacks.
6. Implement additional controls: Enforce file size limits, scan uploads with antivirus software, and require authentication for upload functionality.