Description

The web application supports file uploads and Acunetix was able to upload a Java Applet (.class/.jar) file. If a web browser loads a Java applet from a trusted site, the browser provides no security warning. If an attacker can upload a CLASS/JAR file with an applet, the file is executed even if the web page, which embeds the applet is located on a different site. An attacker could use a file upload function to build an XSS attack using active content.

Remediation

Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.png. Check for files without a filename like .htaccess (on ASP.NET, check for configuration files like web.config). Change the permissions on the upload folder so the files within it are not executable. If possible, rename the files that are uploaded.

References

OWASP Unrestricted File Upload

Why File Upload Forms are a major security threat

Related Vulnerabilities

WordPress Plugin Async JavaScript Cross-Site Scripting (2.20.12.09)

WordPress Plugin Ninja Forms Contact Form-The Drag and Drop Form Builder for WordPress Multiple Cross-Site Scripting Vulnerabilities (2.9.21)

WordPress Plugin Ultimate TinyMCE 'swfupload.swf' Cross-Site Scripting (3.5)

WordPress Plugin WooCommerce Cross-Site Scripting (2.4.8)

WordPress Plugin Link Library 'id' Parameter Cross-Site Scripting and SQL Injection Vulnerabilities (5.0.8)

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality Arbitrary File Creation Unauthenticated File Upload XSS