Unrestricted File Upload

  • CWE 434
  • PCI 3.2-6.5.1
  • OWASP 2013-A1

Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.

The consequences of unrestricted file upload can vary, including

  • complete system takeover
  • an overloaded file system or database
  • forwarding attacks to back-end systems
  • client-side attacks
  • simple defacement.

It depends on what the application does with the uploaded file and especially where it is stored.

References