WebApp Sec mailing list archives
Re: File Upload with changed extension
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Wed, 3 Dec 2014 17:25:08 -0800
I can't say I'm convinced about other attacks discussed in this thread, but if you have a web server that allows arbitrary file uploads and then serves them back from a sensitive origin without taking *a lot* of additional precautions (the list of which is long and ever-changing), then you probably have a problem. For one, you can load the content via <embed> / <object> on evil.com, and have it interpreted as Flash, Silverlight, Java, or something of that sort - with permissions derived from the hosting origin and with no regard for file extensions or Content-Type. So, you get a form of XSS. The safest / simples approach to user-supplied non-HTML documents is to serve them in a separate domain, away from any sensitive UIs, etc. On Tue, Dec 2, 2014 at 10:44 AM, Jyotiranjan Acharya <jyotiranjan121 () gmail com> wrote:
If you are able to upload a file with a changed extension, then will that be a problem? For example, you can not ,in any way, upload a .exe or .php/.jsp/.asp file directly into a web App, but you can by changing their extension to .JPG. What is the risk in such a case? This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- File Upload with changed extension Jyotiranjan Acharya (Dec 02)
- Re: File Upload with changed extension Guillermo Caminer (Dec 02)
- Re: File Upload with changed extension Tobias Wassermann (Dec 03)
- Re: File Upload with changed extension Seth Art (Dec 03)
- Re: File Upload with changed extension Paul Burbage (Dec 03)
- Re: File Upload with changed extension Tobias Wassermann (Dec 03)
- Re: File Upload with changed extension Guillermo Caminer (Dec 02)
- Re: File Upload with changed extension Michal Zalewski (Dec 03)
- Re: File Upload with changed extension Robin Wood (Dec 04)