Description

This script is possibly vulnerable to unrestricted file upload. Various web applications allow users to upload files (such as pictures, images, sounds, ...). Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code. Acunetix was able to upload a file containing executable code and get this code executed. Check Attack details for more information about this attack.

Remediation

Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.png. Check for files without a filename like .htaccess (on ASP.NET, check for configuration files like web.config). Change the permissions on the upload folder so the files within it are not executable. If possible, rename the files that are uploaded.

References

OWASP Unrestricted File Upload

Why File Upload Forms are a major security threat

Related Vulnerabilities

WordPress Plugin Video Gallery /w YouTube, Vimeo Arbitrary File Upload (8.48)

WordPress Plugin Extend WordPress-Various Shortcodes & Widgets TimThumb Arbitrary File Upload (2.1.01)

WordPress Plugin wp Dreamwork Gallery 'upload.php' Arbitrary File Upload (2.1)

WordPress Plugin Import all XML, CSV & TXT into WordPress Arbitrary File Upload (6.4)

WordPress Plugin Word of the day Arbitrary File Upload (1.0)

Severity

Critical

Classification

CWE-434 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality Arbitrary File Creation Unauthenticated File Upload