Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Uploadify arbitrary file upload - Vulnerability Database

Uploadify arbitrary file upload

Description

This vulnerability affects web applications using the Uploadify jQuery plugin for file uploads. Uploadify lacks proper file type validation and access controls on its upload handler, allowing unauthenticated attackers to upload arbitrary files, including executable scripts, to the web server. During testing, Invicti successfully uploaded a test file named acunetix-uploadify-test.php to the server document root, demonstrating the absence of upload restrictions.

Remediation

Take the following steps to remediate this vulnerability:

1. Remove or disable Uploadify: Immediately remove the vulnerable Uploadify implementation from your application or restrict access to the upload handler using authentication and authorization controls.

2. Implement secure file upload handling: Replace Uploadify with a secure file upload solution that includes:
- Whitelist-based file type validation (check both extension and MIME type)
- File content verification to ensure uploaded files match their declared type
- Rename uploaded files to prevent direct execution
- Store uploaded files outside the web root directory when possible
- Implement authentication and authorization checks before allowing uploads

3. Example secure upload validation (PHP):

$allowed_extensions = ['jpg', 'jpeg', 'png', 'pdf'];
$allowed_mime_types = ['image/jpeg', 'image/png', 'application/pdf'];

// Validate file extension
$file_ext = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
if (!in_array($file_ext, $allowed_extensions)) {
    die('Invalid file type');
}

// Validate MIME type
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime_type = finfo_file($finfo, $_FILES['file']['tmp_name']);
if (!in_array($mime_type, $allowed_mime_types)) {
    die('Invalid file content');
}

// Generate random filename and store outside web root
$new_filename = bin2hex(random_bytes(16)) . '.' . $file_ext;
$upload_path = '/var/uploads/' . $new_filename;
move_uploaded_file($_FILES['file']['tmp_name'], $upload_path);

4. Configure web server: Ensure your web server is configured to prevent execution of scripts in upload directories by disabling script execution or using .htaccess rules.

References

Uploadify

Related Vulnerabilities

Nginx PHP code execution via FastCGI High
Common tags: Arbitrary File Creation Known Vulnerabilities
OpenX arbitrary file upload High
Common tags: Arbitrary File Creation Known Vulnerabilities
WebDAV Directory Has Write Permissions High
Common tags: Arbitrary File Creation
silverstripeCMS Improper Restriction of XML External Entity Reference Vulnerability (CVE-2020-25817) Medium
Common tags: Known Vulnerabilities
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2020-25703) Medium
Common tags: Known Vulnerabilities

Severity

High

Classification

CWE-434
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Arbitrary File Creation
Known Vulnerabilities