Invicti detected an unrestricted file upload, which allows users to upload files to the web server.
If one of the uploaded files result a code execution, Invicti will report it as a separate issue.
- Compromise the web server by uploading and executing a web-shell which can run commands, browse system files, browse local resources, attack other servers, and exploit the local vulnerabilities, and so forth.
- Put a phishing page into the website.
- Put a permanent XSS into the website.
- Bypass cross-origin resource sharing (CORS) policy and exfiltrate potentially sensitive data.
- Upload a file using malicious path or name which overwrites critical file or personal data that other users access. For example; the attacker might replace the
.htaccessfile to allow him/her to execute specific scripts.
- Never accept a filename and its extension directly without having a white-list filter.
- If there is no need to have Unicode characters, it is highly recommended to only accept alpha-numeric characters and only one dot as an input for the file name and the extension.
- Limit the file size to a maximum value in order to prevent denial of service attacks.
- Uploaded directory should not have any "execute" permission.
- Don't rely on client-side validation only.