Skip to content Skip to sidebar Skip to footer
Página inicial / Pitch Guage Detection of a Unsafe File Upload or Cannot Sanitize Uploaded Document

Pitch Guage Detection of a Unsafe File Upload or Cannot Sanitize Uploaded Document

Postar um comentário

CWE Glossary Definition

 x

CWE-434: Unrestricted Upload of File with Dangerous Blazon

Weakness ID: 434

Abstraction: Base of operations
Structure: Simple

Status: Typhoon

+ Clarification

The software allows the attacker to upload or transfer files of dangerous types that tin be automatically candy within the production'due south surroundings.

+ Alternating Terms

Unrestricted File Upload:

The "unrestricted file upload" term is used in vulnerability databases and elsewhere, but it is insufficiently precise. The phrase could be interpreted as the lack of restrictions on the size or number of uploaded files, which is a resources consumption issue.

+ Relationships

Section Help This table shows the weaknesses and loftier level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and requite insight to similar items that may be at higher and lower levels of abstraction. In addition, relationships such every bit PeerOf and CanAlsoBe are divers to show similar weaknesses that the user may want to explore.

+ Relevant to the view "Research Concepts" (CWE-1000)

Nature Type ID Name
ChildOf Class Course - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More than specific than a Colonnade Weakness, but more general than a Base Weakness. Class level weaknesses typically draw problems in terms of ane or 2 of the following dimensions: behavior, belongings, and resources. 669 Incorrect Resource Transfer Between Spheres
PeerOf Base Base - a weakness that is however mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base of operations level weaknesses typically depict problems in terms of 2 or iii of the following dimensions: behavior, holding, engineering, language, and resources. 351 Insufficient Type Distinction
PeerOf Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, only more than general than a Base of operations Weakness. Class level weaknesses typically describe bug in terms of 1 or two of the following dimensions: beliefs, belongings, and resource. 436 Interpretation Conflict
PeerOf Base Base of operations - a weakness that is withal mostly independent of a resource or technology, simply with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or iii of the following dimensions: behavior, property, technology, language, and resource. 430 Deployment of Wrong Handler
CanFollow Base Base - a weakness that is however more often than not contained of a resource or applied science, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of ii or 3 of the following dimensions: behavior, holding, technology, language, and resources. 73 External Control of File Name or Path
CanFollow Base Base - a weakness that is still mostly contained of a resources or engineering science, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically depict issues in terms of 2 or iii of the following dimensions: beliefs, property, technology, linguistic communication, and resource. 183 Permissive List of Allowed Inputs
CanFollow Base Base of operations - a weakness that is nonetheless mostly independent of a resources or technology, but with sufficient details to provide specific methods for detection and prevention. Base of operations level weaknesses typically describe bug in terms of 2 or 3 of the post-obit dimensions: behavior, belongings, technology, linguistic communication, and resource. 184 Incomplete Listing of Disallowed Inputs

Section Help This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of brainchild. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

+ Relevant to the view "Software Development" (CWE-699)

Nature Type ID Name
MemberOf Category Category - a CWE entry that contains a set of other entries that share a mutual characteristic. 429 Handler Errors

Section Help This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at college and lower levels of brainchild. In addition, relationships such every bit PeerOf and CanAlsoBe are defined to show like weaknesses that the user may want to explore.

+ Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (CWE-1003)

Nature Type ID Name
ChildOf Class Class - a weakness that is described in a very abstract manner, typically contained of any specific linguistic communication or technology. More specific than a Pillar Weakness, just more general than a Base Weakness. Class level weaknesses typically draw issues in terms of 1 or two of the following dimensions: behavior, property, and resource. 669 Wrong Resources Transfer Between Spheres

Section Help This table shows the weaknesses and high level categories that are related to this weakness. These relationships are divers as ChildOf, ParentOf, MemberOf and requite insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such equally PeerOf and CanAlsoBe are defined to evidence like weaknesses that the user may want to explore.

+ Relevant to the view "Architectural Concepts" (CWE-1008)

Nature Type ID Name
MemberOf Category Category - a CWE entry that contains a set of other entries that share a common characteristic. 1011 Authorize Actors

+ Modes Of Introduction

Section Help The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a bespeak in the life bicycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given stage.

Phase Note
Implementation
Architecture and Pattern OMISSION: This weakness is caused by missing a security tactic during the architecture and blueprint phase.

+ Applicative Platforms

Section Help This listing shows possible areas for which the given weakness could appear. These may exist for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.

Languages

ASP.Internet (Sometimes Prevalent)

PHP (Often Prevalent)

Course: Linguistic communication-Contained (Undetermined Prevalence)

Technologies

Spider web Server (Sometimes Prevalent)

+ Mutual Consequences

Section Help This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an antagonist succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to exist seen relative to the other consequences in the listing. For example, at that place may exist loftier likelihood that a weakness will be exploited to achieve a certain bear upon, but a depression likelihood that information technology will be exploited to attain a different impact.

Scope Impact Likelihood
Integrity
Confidentiality
Availability

Technical Impact: Execute Unauthorized Code or Commands

Arbitrary code execution is possible if an uploaded file is interpreted and executed equally lawmaking by the recipient. This is particularly true for .asp and .php extensions uploaded to web servers because these file types are frequently treated as automatically executable, fifty-fifty when file system permissions do non specify execution. For example, in Unix environments, programs typically cannot run unless the execute flake is set, but PHP programs may be executed past the web server without direct invoking them on the operating organisation.

+ Likelihood Of Exploit

+ Demonstrative Examples

Example 1

The following code intends to permit a user to upload a motion-picture show to the web server. The HTML lawmaking that drives the form on the user terminate has an input field of type "file".

(adept code)

Case Language: HTML

<form activity="upload_picture.php" method="mail service" enctype="multipart/course-information">

Choose a file to upload:
<input blazon="file" proper noun="filename"/>
<br/>
<input type="submit" name="submit" value="Submit"/>

</form>

Once submitted, the form above sends the file to upload_picture.php on the spider web server. PHP stores the file in a temporary location until information technology is retrieved (or discarded) past the server side lawmaking. In this example, the file is moved to a more than permanent pictures/ directory.

(bad code)

Example Language: PHP

// Ascertain the target location where the picture being

// uploaded is going to be saved.
$target = "pictures/" . basename($_FILES['uploadedfile']['name']);

// Move the uploaded file to the new location.
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target))
{

echo "The picture has been successfully uploaded.";

}
else
{

echo "At that place was an error uploading the picture, please attempt over again.";

}

The problem with the higher up code is that there is no cheque regarding type of file existence uploaded. Assuming that pictures/ is available in the web document root, an attacker could upload a file with the name:

Since this filename ends in ".php" it can be executed by the web server. In the contents of this uploaded file, the attacker could use:

(attack code)

Example Language: PHP

<?php

arrangement($_GET['cmd']);

?>

One time this file has been installed, the attacker can enter arbitrary commands to execute using a URL such as:

http://server.instance.com/upload_dir/malicious.php?cmd=ls%20-50

which runs the "ls -fifty" command - or any other type of command that the assailant wants to specify.

Example ii

The following lawmaking demonstrates the unrestricted upload of a file with a Coffee servlet and a path traversal vulnerability. The activeness attribute of an HTML form is sending the upload file request to the Java servlet.

(good lawmaking)

Instance Language: HTML

<form action="FileUploadServlet" method="post" enctype="multipart/form-data">

Choose a file to upload:
<input type="file" proper noun="filename"/>
<br/>
<input blazon="submit" name="submit" value="Submit"/>

</class>

When submitted the Java servlet'south doPost method volition receive the request, extract the proper noun of the file from the Http request header, read the file contents from the asking and output the file to the local upload directory.

(bad code)

Case Linguistic communication: Coffee

public class FileUploadServlet extends HttpServlet {

...

protected void doPost(HttpServletRequest asking, HttpServletResponse response) throws ServletException, IOException {

response.setContentType("text/html");
PrintWriter out = response.getWriter();
Cord contentType = asking.getContentType();

// the starting position of the purlieus header
int ind = contentType.indexOf("boundary=");
String boundary = contentType.substring(ind+9);

Cord pLine = new String();
String uploadLocation = new Cord(UPLOAD_DIRECTORY_STRING); //Constant value

// verify that content blazon is multipart form data
if (contentType != null && contentType.indexOf("multipart/form-information") != -one) {

// extract the filename from the Http header
BufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));
...
pLine = br.readLine();
String filename = pLine.substring(pLine.lastIndexOf("\\"), pLine.lastIndexOf("\""));
...

// output the file to the local upload directory
attempt {

BufferedWriter bw = new BufferedWriter(new FileWriter(uploadLocation+filename, true));
for (Cord line; (line=br.readLine())!=null; ) {

if (line.indexOf(boundary) == -i) {

bw.write(line);
bw.newLine();
bw.flush();

}

} //terminate of for loop
bw.close();

} catch (IOException ex) {...}
// output successful upload response HTML page

}
// output unsuccessful upload response HTML page
else
{...}

}

...

}

This code does not perform a check on the type of the file being uploaded (CWE-434). This could allow an attacker to upload any executable file or other file with malicious code.

Additionally, the creation of the BufferedWriter object is bailiwick to relative path traversal (CWE-23). Since the lawmaking does not bank check the filename that is provided in the header, an attacker can use "../" sequences to write to files exterior of the intended directory. Depending on the executing environment, the attacker may be able to specify arbitrary files to write to, leading to a wide variety of consequences, from lawmaking execution, XSS (CWE-79), or system crash.

+ Observed Examples

+ Potential Mitigations

Phase: Architecture and Design

Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]

Phase: Architecture and Design

Strategy: Enforcement by Conversion

When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a ready of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Phase: Architecture and Design

Consider storing the uploaded files outside of the web document root entirely. And then, use other mechanisms to deliver the files dynamically. [REF-423]

Phase: Implementation

Strategy: Input Validation

Presume all input is malicious. Use an "have known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Turn down any input that does not strictly conform to specifications, or transform it into something that does.

When performing input validation, consider all potentially relevant properties, including length, blazon of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business concern rules. As an example of business rule logic, "boat" may be syntactically valid considering information technology but contains alphanumeric characters, but it is non valid if the input is only expected to contain colors such every bit "red" or "blue."

Practice non rely exclusively on looking for malicious or malformed inputs. This is probable to miss at least 1 undesirable input, specially if the code'due south surroundings changes. This can give attackers plenty room to bypass the intended validation. All the same, denylists tin be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

For case, limiting filenames to alphanumeric characters can help to restrict the introduction of unintended file extensions.

Phase: Compages and Design

Ascertain a very limited set of commanded extensions and only generate filenames that end in these extensions. Consider the possibility of XSS (CWE-79) before allowing .html or .htm file types.

Phase: Implementation

Strategy: Input Validation

Ensure that simply ane extension is used in the filename. Some spider web servers, including some versions of Apache, may process files based on inner extensions so that "filename.php.gif" is fed to the PHP interpreter.[REF-422] [REF-423]

Phase: Implementation

When running on a web server that supports case-insensitive filenames, perform case-insensitive evaluations of the extensions that are provided.

Phase: Architecture and Design

For any security checks that are performed on the customer side, ensure that these checks are duplicated on the server side, in order to avert CWE-602. Attackers tin bypass the client-side checks past modifying values later on the checks have been performed, or by changing the client to remove the customer-side checks entirely. And so, these modified values would be submitted to the server.

Stage: Implementation

Do not rely exclusively on sanity checks of file contents to ensure that the file is of the expected type and size. It may be possible for an aggressor to hide lawmaking in some file segments that will all the same be executed by the server. For example, GIF images may contain a free-form comments field.

Phase: Implementation

Exercise not rely exclusively on the MIME content type or filename attribute when determining how to render a file. Validating the MIME content type and ensuring that information technology matches the extension is only a partial solution.

Phases: Architecture and Design; Operation

Strategy: Environment Hardening

Run your lawmaking using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are just used for a single task. That mode, a successful attack will not immediately requite the attacker access to the rest of the software or its surroundings. For example, database applications rarely need to run as the database administrator, especially in twenty-four hour period-to-mean solar day operations.

Phases: Compages and Design; Operation

Strategy: Sandbox or Jail

Run the code in a "jail" or like sandbox environment that enforces strict boundaries between the procedure and the operating organisation. This may effectively restrict which files can be accessed in a particular directory or which commands can exist executed by the software.

Os-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed lawmaking may provide some protection. For instance, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.

This may not exist a viable solution, and it simply limits the impact to the operating organisation; the rest of the application may notwithstanding be subject to compromise.

Be careful to avert CWE-243 and other weaknesses related to jails.

Effectiveness: Limited

Note: The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail beingness used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.

+ Weakness Ordinalities

Ordinality Description

Primary

This tin can be primary when there is no check at all. (where the weakness is a quality outcome that might indirectly make it easier to introduce security-relevant weaknesses or brand them more hard to find)

Resultant

This is oft resultant when use of double extensions (e.one thousand. ".php.gif") bypasses a sanity cheque. (where the weakness is a quality outcome that might indirectly make it easier to introduce security-relevant weaknesses or brand them more difficult to detect)

Resultant

This can be resultant from client-side enforcement (CWE-602); some products volition include web script in web clients to check the filename, without verifying on the server side. (where the weakness is a quality issue that might indirectly brand it easier to innovate security-relevant weaknesses or make them more difficult to detect)

+ Detection Methods

Dynamic Assay with Automated Results Interpretation

Co-ordinate to SOAR, the post-obit detection techniques may exist useful:

Price constructive for partial coverage:

  • Web Application Scanner

  • Web Services Scanner

  • Database Scanners

Effectiveness: SOAR Partial

Dynamic Analysis with Manual Results Interpretation

According to SOAR, the post-obit detection techniques may be useful:

Toll constructive for fractional coverage:

  • Fuzz Tester

  • Framework-based Fuzzer

Effectiveness: SOAR Partial

Transmission Static Analysis - Source Code

According to SOAR, the post-obit detection techniques may exist useful:

  • Focused Transmission Spotcheck - Focused manual analysis of source

  • Manual Source Code Review (not inspections)

Effectiveness: High

Automated Static Analysis - Source Code

Co-ordinate to SOAR, the following detection techniques may exist useful:

  • Source code Weakness Analyzer

  • Context-configured Source Code Weakness Analyzer

Effectiveness: High

Architecture or Pattern Review

Co-ordinate to SOAR, the following detection techniques may be useful:

  • Formal Methods / Correct-By-Construction

Toll effective for fractional coverage:

  • Inspection (IEEE 1028 standard) (can apply to requirements, blueprint, source code, etc.)

Effectiveness: High

+ Functional Areas

  • File Processing

+ Affected Resources

  • File or Directory

+ Memberships

Section Help This MemberOf Relationships tabular array shows additional CWE Categories and Views that reference this weakness every bit a member. This information is often useful in understanding where a weakness fits within the context of external information sources.

+ Notes

Relationship

This can have a chaining human relationship with incomplete denylist / permissive allowlist errors when the product tries, but fails, to properly limit which types of files are allowed (CWE-183, CWE-184).

This tin can also overlap multiple interpretation errors for intermediaries, east.g. anti-virus products that do non remove or quarantine attachments with certain file extensions that can be processed by customer systems.

Inquiry Gap

PHP applications are near targeted, merely this likely applies to other languages that support file upload, likewise every bit not-web technologies. ASP applications have also demonstrated this problem.

+ Taxonomy Mappings

Mapped Taxonomy Proper name Node ID Fit Mapped Node Proper name
PLOVER Unrestricted File Upload
OWASP Top Ten 2007 A3 CWE More than Specific Malicious File Execution
OMG ASCSM ASCSM-CWE-434

+ References

+ Content History

+ Submissions
Submission Date Submitter System
2006-07-19 PLOVER
+ Modifications
Modification Date Modifier Organization
2008-07-01 Eric Dalci Cigital
updated Time_of_Introduction
2008-09-08 CWE Content Team MITRE
updated Alternate_Terms, Relationships, Other_Notes, Taxonomy_Mappings
2009-01-12 CWE Content Team MITRE
updated Relationships
2009-12-28 CWE Content Team MITRE
updated Applicable_Platforms, Functional_Areas, Likelihood_of_Exploit, Potential_Mitigations, Time_of_Introduction
2010-02-16 CWE Content Team MITRE
converted from Compound_Element to Weakness
2010-02-16 CWE Content Team MITRE
updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Name, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationship_Notes, Relationships, Blazon, Weakness_Ordinalities
2010-04-05 CWE Content Team MITRE
updated Related_Attack_Patterns
2010-06-21 CWE Content Squad MITRE
updated References, Relationship_Notes
2010-09-27 CWE Content Team MITRE
updated Potential_Mitigations
2010-12-thirteen CWE Content Squad MITRE
updated Potential_Mitigations
2011-06-27 CWE Content Team MITRE
updated Relationships
2011-09-13 CWE Content Team MITRE
updated Potential_Mitigations, References, Relationships
2012-05-xi CWE Content Team MITRE
updated References, Relationships
2012-ten-30 CWE Content Squad MITRE
updated Potential_Mitigations
2014-07-thirty CWE Content Team MITRE
updated Detection_Factors
2015-12-07 CWE Content Team MITRE
updated Relationships
2017-11-08 CWE Content Team MITRE
updated Affected_Resources, Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Weakness_Ordinalities
2019-01-03 CWE Content Squad MITRE
updated References, Relationships, Taxonomy_Mappings
2019-06-20 CWE Content Team MITRE
updated Related_Attack_Patterns
2019-09-19 CWE Content Squad MITRE
updated Relationships
2020-02-24 CWE Content Team MITRE
updated Applicable_Platforms, Potential_Mitigations
2020-06-25 CWE Content Team MITRE
updated Potential_Mitigations, Relationship_Notes
2020-08-twenty CWE Content Team MITRE
updated Relationships
2020-12-x CWE Content Team MITRE
updated Relationships
2021-03-15 CWE Content Team MITRE
updated Demonstrative_Examples
2021-07-twenty CWE Content Team MITRE
updated Relationships
+ Previous Entry Names
Change Date Previous Entry Name
2010-02-16 Unrestricted File Upload

More information is bachelor — Delight select a unlike filter.

ewingwitilly.blogspot.com

Source: https://cwe.mitre.org/data/definitions/434.html

Postar um comentário for "Pitch Guage Detection of a Unsafe File Upload or Cannot Sanitize Uploaded Document"