“File upload” does not refer to a particular vulnerability, but rather to a family of web vulnerabilities that can have a very serious impact, since they allow arbitrary code execution by an attacker on the targeted machine.
“File uploads” concept
An interactive website usually allows its users to send files; for example, avatars on a forum, photos on a gallery, attached documents on a support chat… The issue may appear when an attacker manages to send a file containing executable code, and to force the webserver to execute it. It is possible if the website in question has a “file upload” type vulnerability, and does not block the attacker’s request.
For instance, on a PHP server, a malevolent file called “my image.php”, containing an image as well as a small piece of PHP code, is very likely to be recognized as an image when it is sent, but executed as code when it is called by the attacker or any visitor going on the page where the malevolent image is present.
|Visual of the image sent by the pirate||Actual content of the file|
|Here, a line of PHP code is hidden among the image data.|
How to avoid “file upload” vulnerabilities?
There are many remedies, all complementary and hard to apply if they weren’t taken into account during the application’s creation:
- Don’t allow users to send files, when it is not a major function of your website or application
- Deny code execution from the folder in which sent files are stored
- Verify and authorize tolerated file extensions with a white list, such as .jpg, .png, .pdf, .gif, .xls, etc…
- Check out the MIME type of sent files. For example a file which type is image/gif may be legitimate, while application/php is not.
- Force the MIME type of sent file when it is served to (downloaded by) users visiting a page, in order to prevent the browser of a potential victim to execute the file
- Rename sent files with a randomly generated name, to prevent the attacker from creating special files (robots.txt, .htaccess) and referring it easily to have them executed.
CerberHost’s answers to “file uploads”
We use two different approaches to fight against this type of vulnerabilities:
- A daemon is awaken every time a file is created on the website; if It contains code that can be executed by the webserver, an alert is raised. To avoid false positive (erroneous alarm in the case of a legitimate file), a whole set of rules is deployed in order to let legitimate creations go through, in the case of a website update for instance.
- There is also a periodicscan done by our in-house antivirus software, in order to detect malevolent PHP-type files, even if they are strongly obfuscated, (drowned in a mass of information).
CerberHost protects your website against all Top 10 OWASP attacks, and much more.
To discover CerberHost in pictures, watch its presentation video HERE.