Code Execution via File Upload

Severity: Critical
Summary#

Invicti detected a code execution via file upload. Invicti successfully uploaded a file and when requesting the uploaded file, code is executed in the context of the web server.

Impact#
The web server can be compromised by uploading and executing a web-shell which can run commands, browse system files, browse local resources, attack other servers, and exploit the local vulnerabilities, and so forth.
Remediation#
  • Never accept a filename and its extension directly without having a white-list filter.
  • Uploaded directory should not have any "execute" permission.
OR

Search Vulnerability

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works