One of the core features of modern web systems is file uploads that allow users to transmit files from client applications to the server machine. Although the feature is considered crucial for applications that operate on user-generated content, a file upload vulnerability causes a web server to accept user-submitted files without checking for attributes such as the type, size, name, or content. In such vulnerable servers, attackers can upload malicious files that can potentially affect the web application’s availability, functionality, and data integrity.
This article discusses a file upload vulnerability, its potential impacts on modern application delivery, and effective prevention strategies.
What Is File Upload Vulnerability?
A file upload vulnerability allows attackers to inject malicious content into the application server. Also known as an unrestricted file upload, an attack is triggered by either tricking a victim user into uploading an arbitrary file or by uploading it directly through a file upload service that does not validate the type of file used.
File upload vulnerabilities are categorized according to the file attribute the application fails to validate. These include:
- Insufficient file type restrictions – If the web server fails to validate the content and file extension, attackers can upload files containing executable scripts that allow for remote code execution and other malicious actions.
- Filenames – In instances where the web server does not validate file names, attackers can overwrite the server configuration by replacing critical system files with invalid ones. Attackers can also manipulate internal paths used by the filesystem on servers containing path traversal vulnerabilities.
- Insufficient file size limit – If the server does not appropriately restrict the size of uploaded files, attackers can perform a Denial-of-Service attack by piling up the available disk space with huge files.
Multiple known bypass techniques exploit vulnerabilities based on improper file upload security controls. Some of these techniques include:
- Case-sensitive extension bypass – Attackers name file extensions using a combination of upper and lowercase letters to circumvent security measures used to validate file types
- Image content verification bypass – A combination of techniques allows attackers to upload unwanted image files successfully. These include:
- Web shell uploads – The attacker overrides or manipulates an existing global setting to trick the file upload service into accepting dangerous files.
Common Examples – File Upload Bypass Techniques
Every programming language and web development framework natively offers file upload functionality. When developing bypass scripts, attacks are concocted based on how the target framework pre-processes files before uploading.
The following section discusses common file upload bypass techniques for some of the most popular web application development frameworks.
Apache File Upload Vulnerability
The Apache web server does not execute an uploaded file unless it is specifically configured to do so. Before the server executes a user-supplied file, web developers are required to specify the following directives in the configuration file (/etc/apache2/apache2.conf):
LoadModule php_module /usr/lib/apache2/modules/libphp.so
AddType application/x-httpd-php .phpDevelopers can also override or alter a global setting by creating special configuration files for every accessible directory. Apache servers load directory-specific configurations from a .htaccess file if it has been created. In vulnerable servers, attackers can access this file and alter the directives, enabling a specific directory to serve malicious MIME types to users. For instance, the directory to execute application.json files and serve results to users would be similar to:
<staticContent>
<mimeMap fileExtension=".json" mimeType="application/json" />
</staticContent>jQuery File Upload Vulnerability
jQuery is a widely-adopted JavaScript library with its file upload feature (jQuery-File-Upload) is the second most starred GitHub project. The jQuery-File-Upload library has been found to contain multiple vulnerabilities that can be used to upload and execute malicious files. One such vulnerability is CVE-2016-3714, which affects ImageMagic, jQuery’s Image Processing library. The vulnerability allows a remote attacker to craft a malicious file that tricks the ImageMagic package into executing shell commands. The exploit is as simple as building the script and giving it a file extension accepted and executed by the platform.
A sample exploit would involve uploading the following bad code in a whitelisted format such as JPG, GIF, or PNG file:
%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%ping darwin.com) currentdevice putdevicepropsAfter uploading the file, the server executes the command $ ping darwin.com. Since the vulnerability is present in a library used by jQuery-File-Upload, it can be used to disguise dangerous file types as image uploads for jQuery applications.
PHP File Upload Vulnerability
Websites that allow attackers commonly exploit the upload and execution of PHP server-side scripts to build their web shell on the server. A web shell is a PHP file that allows hackers to orchestrate remote code execution by sending malicious requests to vulnerable servers. For instance, the script to read the contents of a file within the server would be:
<?php echo file_get_contents('<internal-file-path'); ?>A more sophisticated exploit involves uploading a script file that runs any command passed within the file when executed by the PHP application.
Assuming a profile image upload page relies on JavaScript for file type checking, an attacker can trick their browser into uploading a PHP file instead of an image by turning off JavaScript.
A typical attack pattern would involve the attacker naming the malicious script file mal-script.php, where its contents would look similar to:
<?php
if(isset($_REQUEST['cmd'])) {
$cmd = ($_REQUEST['cmd']);
system($cmd);
} else {
echo "Attack successful, Proceed Cautiously?";
}
?>The attacker can then disable JavaScript on their browser and upload the script when prompted for the image file. Since JavaScript is disabled, the script is uploaded to the server, even though the web page looks broken. Typing the profile image URL into the address bar executes commands specified within the uploaded script.
SMB File Upload Vulnerability
The Server Message Block (SMB) is a protocol to share ports, printers, files, and abstracted communications between networked computers. SMB is a client-server, request-response protocol that allows clients to access shared file systems and other resources hosted by a server. To exploit a vulnerable SMB server, all a hacker needs is a machine with the smbclient command tool installed and access to the SMB port 445.
To perform the exploit, attackers first check the sharenames by running a command of the form:
$ smbclient -L <vulnerable-server-ip-address> -NThe response would be similar to the following:
`WARNING: The "syslog" option is deprecated
Domain=[<client-domain-name>] OS=[<client-operating-system>] Server=[<server-id>]
Sharename Type Comment
--------- ---- -------
darwin-space Disk
IPC$ IPC IPC Service (Samba <server-id>)
Domain=[<client-domain-name>] OS=[<client-operating-system>] Server=[<server-id>]
Server Comment
--------- -------
SAMBA Samba <server-id>
Workgroup Master
--------- -------
<client-domain-name> SAMBA `This allows the attacker to pick a sharename, typically one that does not contain the $ special character, since such sharenames are more likely to have relaxed permissions.
Assuming the attacker picks the darwin-space sharename as the target disk, they’ll force it to accept their chosen types of files using the command:
$ smbclient //<vulnerable-server-ip-address>/arquivos -NImpact of a File Upload Attack
Being easy to execute and potentially exploited for various malicious activities, a file upload vulnerability is a common target of hackers. Impacts of a file upload attack include:
- Cross-site content hijacking – Relates to vulnerable server instances where an attacker can substitute legitimate web pages with their content
- Phishing attacks – Hackers can trick users with malicious scripts to gain access to sensitive data
- Denial-of-Service – If the application fails to validate the number and size of uploaded files, hackers can fill up the disk storage, overloading the server to work on client requests
- Remote code execution – Attackers leverage file upload commands to upload a web shell that allows them to execute arbitrary commands on the application server.
File Upload Vulnerability – Prevention Strategies
Techniques to prevent the file upload vulnerability include:
- Whitelisting file types – Implement an allow-list that enforces the usability of only those file extensions that are approved to be used by the application.
- File name restrictions – Once a file has been uploaded, remove all potentially dangerous characters, including unicode characters and special characters, to prevent injection attacks. Changing the uploaded file’s name is also recommended to prevent directory path exploits.
- File upload validation – When validating file uploads, use trusted validation frameworks that address all potential gaps that attackers could exploit
- File size restrictions – Enforce a file size limit and a maximum number of files that can be uploaded to keep attackers from flooding file storage.
FAQs
Which security checks are ineffective against file upload exploits?
Some security measures that cannot effectively protect websites against file upload attacks include:
- File name, type, and extension blacklists
- Using the getimagesize() function in image libraries
- Content-type header validation
What is the difference between file inclusion and file upload vulnerabilities?
The file upload vulnerability allows for the upload of malicious files without appropriate validations, including size, type, and file name. On the other hand, a file inclusion vulnerability allows for the inclusion of a remote or local file as part of the server response, which can be further executed as a code to obtain an output.
