What are the perils of Unrestricted File Uploads?

Some applications allow users to upload their files. If there are no limitations on the uploaded filename, type, or size the unrestricted file upload could cause massive problems.

What causes unrestricted file uploads?

The main objective behind an attacker exploiting the unrestricted file upload is to find a way to get their malicious code to the system to be attacked. File upload functionality acts as an entry point for various malicious files, malware, and virus programs. Various gaps in security mechanisms such as the following are the reasons behind the existence of file upload vulnerabilities:

• Missing upload rate limitation

One of the naive mistakes developers could make is to not impose any rate limitation on the file upload functionality of their web application causing an attacker to exploit this vulnerability by overwhelming the application with a barrage of malware and virus program files.

• Files uploaded to the application are not verified

Lack of verification of uploaded files leads to malicious code sent in the disguise of these benign uploaded files get stored and then get executed with elevated privileges on the system hosting the webserver. 

• Failure to limit the file size and possible dangerous content or extensions

This mistake has severe and calamitous consequences where uploading of huge files can cause file space denial of service and pivot of other server-side attacks due to malicious scripts being uploaded without any check.

Malicious Impact of Unrestricted File Upload Functionality:

• By uploading astronomical amounts of malicious files or even a zip bomb an attacker could launch a DoS – Denial of Service attack.

• Users could be tricked into providing the sensitive information to a phishing page uploaded by an attacker.

• An adversary might be able to upload malicious files causing website defacement.

• An attacker could upload a web shell and gain remote access to the webserver. This could then pivot other malicious actions on the victim’s infrastructure such as:

  • File Overwriting: A malicious file is uploaded with a similar name and extension as an existing file residing on the server causing an overwrite of the original file. Critical files such as “.htaccess file” being overwritten by an attacker could open doors to launch all kinds of attacks on the server, ranging from remote code execution to application-level denial of service attack.

Mitigation Techniques for Unrestricted File Uploads:

• To prevent exploitation of unrestricted file upload vulnerabilities developers should apply whitelist validation and filter on filenames and extensions.

• Remove special characters from filenames and implement limitations on the length of the filenames to allow only a fixed amount of characters.

• Restrictions on allowed extensions are very paramount.

• Developers must disallow the execution of files with double extensions (e.g., “file.php.png”) especially in Apache.

• The uploaded directory should not possess any “execute” permission and all the script handlers should be removed from these directories.

• Uploaded files must be stored in a private directory without execution privileges.

• File size limits with set maximum and minimum values must be set.

• Scanning of uploaded files for malicious content before processing or storage will prevent the execution of any malicious code being sent in the guise of the uploaded file.

• Uploaded files must be stored with randomly generated file names keeping a table mapping to the original names if needed.