Unrestricted Upload of File with Dangerous Type

Summary

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment

Description

Allowing end users to upload files may lead to severe security threats. Attackers may use this open door to compromise your application, either by overwriting data or by injecting malicious code to run on your server.

Risk

Arbitrary code execution is possible if an uploaded file is interpreted and executed as code by the recipient. This is especially true for web-server extensions such as .asp and .php because these file types are often treated as automatically executable, even when file system permissions do not specify execution. For example, in Unix environments, programs typically cannot run unless the execute bit is set, but PHP programs may be executed by the web server without directly invoking them on the operating system.

Example

As indicated, a few devices made by Schneider Electric can be rendered inoperable when malicious firmware is downloaded to the devices.

Example Code (Bad Code)

The following code intends to allow a user to upload a picture to the web server. The HTML code that drives the form on the user end has an input field of type “file”.

<form
action="upload_picture.php" method="post" enctype="multipart/form-data">

Choose a file to upload:
<input type="file" name="filename"/>
<br/>
<input type="submit" name="submit" value="Submit"/>

</form>

Once submitted, the form above sends the file to upload_picture.php on the web server. PHP stores the file in a temporary location until it is retrieved (or discarded) by the server side code. In this example, the file is moved to a more permanent pictures/ directory.


// Define the target location where the picture being

// uploaded is going to be saved.
$target = "pictures/" . basename($_FILES['uploadedfile']['name']);

// Move the uploaded file to the new location.
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target))
{
  echo "The picture has been successfully uploaded.";
}
else
{
  echo "There was an error uploading the picture, please try again.";
}

The problem with the above code is that there is no check regarding type of file being uploaded. Assuming that pictures/ is available in the web document root, an attacker could upload a file with the name:

malicious.php

Since this filename ends in “.php” it can be executed by the web server. In the contents of this uploaded file, the attacker could use:

<?php system($_GET['cmd']);?>

Once this file has been installed, the attacker can enter arbitrary commands to execute using a URL such as:

http://server.example.com/upload_dir/malicious.php?cmd=ls%20-l

which runs the ls -l command - or any other type of command that the attacker wants to specify.

Addressing Unrestricted File Upload

When it is not be possible to remove the ability to upload files, special care should be taken to ensure files are handled in a secure manner. The following checks should be implemented to ensure the security of your application:

  1. Validate each path where the uploaded data is written to.

  2. Check the content of the data being uploaded without just relying on the MIME type.

  3. Set a size limit for the uploaded data.

  4. Do not run your web application with administrator privileges.

  5. Log each upload request.

  6. Do not display system information or exception in case the upload fails as this information may help attackers to find a breach.

More specifically, consider the following architecture and design:

  1. Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.
  2. When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
  3. Consider storing the uploaded files outside of the web document root entirely. Then, use other mechanisms to deliver the files dynamically
  4. Define a very limited set of allowable extensions and only generate filenames that end in these extensions. Consider the possibility of XSS (CWE-79) before allowing .html or .htm file types.
  5. For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Consider the following implementation strategy:

  1. Input Validation. Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

    When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”

    Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

    For example, limiting filenames to alphanumeric characters can help to restrict the introduction of unintended file extensions.

  2. Sanity Check. Do not rely exclusively on sanity checks of file contents to ensure that the file is of the expected type and size. It may be possible for an attacker to hide code in some file segments that will still be executed by the server. For example, GIF images may contain a free-form comments field.
  3. Content Type. Do not rely exclusively on the MIME content type or filename attribute when determining how to render a file. Validating the MIME content type and ensuring that it matches the extension is only a partial solution.

Acknowledgement

This page is derived from the CodeQL project and CWE-434.