Unrestricted File Upload

Here’s a simple attack that may not seem as common these days, but even with sufficiently secure frameworks unknowing developers can bypass security features and produce a vulnerable application. Even large IT companies stumble sometimes. Do not let it come to you as a surprise, as there are loads of ways to attack and bypass security features.

Note that uploading malicious files is usually not a problem, unless there’s another security vulnerability that enables to exploit it. It makes sense to fix this security hole anyway, because you don’t know when someone is going to find a new fault with your system.

What is it?

The idea is quite straightforward. A hacker uses your file upload form to hack into your system. There are loads of ways to exploit this vulnerability. A common way is to fetch other users’ session IDs by putting XSS in the filename or get sensitive server information by uploading a PHP file and running it by exploiting the Path Traversal vulnerability.

Exploiting a vulnerable field

While there is a large list of things you should test and tools to help you do it, let’s keep it simple for the purpose of explaining the basic concept. Since we already covered XSS let’s focus on executing files on the server.

This attack is only applicable to PHP servers that are also vulnerable to Path Traversal. While simple to understand, it’s a good example of how dangerous an attack can be.

1. Create a malicious file to upload

Name the file something like “go.php”. The contents can be <?phpexec($_GET['cmd']); ?>. What does it do? exec is a shell command execution function, so any linux command you put as the function parameter will be executed as if it was the operating system itself. $_GET['cmd'] fetches the cmd parameter value from the url which is then passed on to the exec function.

2. Upload the file

Just upload this file through a normal file upload form on a webpage. You will probably get an error saying “php extension not allowed” so just rename your file to “go.jpg”, because images are almost always accepted and php doesn’t really care what the file extension is.

3. Execute the file

Since in this example we assume the website is vulnerable to Path Traversal, we’re going to use that to execute the file.

http://example.com?page=profile&avatar=uploads/users/go2.jpg&cmd=pwd

Notice the cmd= part. We have just implemented a PHP Shell. We can now run PHP commands through the file we uploaded. This opens the server up to a whole range of other attacks. Only to the range that the server-user allows of course, so never set up your web server with root permissions!

Fixing

There are many ways to fix this particular vulnerability:

  1. Remove Path Traversal functionality.
  2. Stop inclusion in user-upload directories.
  3. Make sure the file contents match the filetype (assuming you’re already checking filetypes).
  4. Never let the user know in which directory the file has been or will be uploaded to.
  5. Never use the original filename for the file that has been uploaded, so the user won’t know what the filename is after it has been uploaded. This means you need to generate a random hash for each file and save the original name in the database.

So What Exactly Did I Just Read?

Unrestricted File Upload is a nasty exploit that can be used in conjunction with other vulnerabilities. It can be used for a lot of different nasty things like running malicious code and commands on a web server. A lot of ways to patch it include patching other vulnerabilities at the same time.