File upload vulnerabilities
File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type (such asĀ
.php
Ā andĀ .jsp
), contents, or size. Filename:- If the filename isn't validated properly, this could allow an attacker to overwrite critical files simply by uploading a file with the same name. If the server is also vulnerable toĀ directory traversal, this could mean attackers are even able to upload files to unanticipated locations.
Size:- Failing to make sure that the size of the file falls within expected thresholds could also enable a form of denial-of-service (DoS) attack, whereby the attacker fills the available disk space.
Nevertheless, web servers still deal with requests for some static files, including stylesheets, images, and so on.
- If this file type is non-executable, such as an image or a static HTML page, the server may just send the file's contents to the client in an HTTP response.
- If the file type is executable, such as a PHP file,Ā andĀ the server is configured to execute files of this type, it will assign variables based on the headers and parameters in the HTTP request before running the script. The resulting output may then be sent to the client in an HTTP response.
- If the file type is executable, but the serverĀ is notĀ configured to execute files of this type, it will generally respond with an error. However, in some cases, the contents of the file may still be served to the client as plain text. Such misconfigurations can occasionally be exploited to leak source code and other sensitive information. You can see anĀ exampleĀ of this in ourĀ information disclosureĀ learning materials.
TheĀ Content-TypeĀ response header may provide clues as to what kind of file the server thinks it has served. If this header hasn't been explicitly set by the application code, it normally contains the result of the file extension/MIME type mapping.
<?php echo file_get_contents('/path/to/target/file'); ?> <?php echo system($_GET['command']); ?> GET /example/exploit.php?command=id HTTP/1.1