WebApp Sec mailing list archives
Re: File Upload with changed extension
From: Robin Wood <robin@digi.ninja>
Date: Thu, 4 Dec 2014 12:26:24 +0000
No one has mentioned the ability to use the server as a warez server, that could be a problem if the max upload file size is large enough. On 4 December 2014 at 01:25, Michal Zalewski <lcamtuf () coredump cx> wrote:
I can't say I'm convinced about other attacks discussed in this thread, but if you have a web server that allows arbitrary file uploads and then serves them back from a sensitive origin without taking *a lot* of additional precautions (the list of which is long and ever-changing), then you probably have a problem. For one, you can load the content via <embed> / <object> on evil.com, and have it interpreted as Flash, Silverlight, Java, or something of that sort - with permissions derived from the hosting origin and with no regard for file extensions or Content-Type. So, you get a form of XSS. The safest / simples approach to user-supplied non-HTML documents is to serve them in a separate domain, away from any sensitive UIs, etc. On Tue, Dec 2, 2014 at 10:44 AM, Jyotiranjan Acharya <jyotiranjan121 () gmail com> wrote:If you are able to upload a file with a changed extension, then will that be a problem? For example, you can not ,in any way, upload a .exe or .php/.jsp/.asp file directly into a web App, but you can by changing their extension to .JPG. What is the risk in such a case? This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- File Upload with changed extension Jyotiranjan Acharya (Dec 02)
- Re: File Upload with changed extension Guillermo Caminer (Dec 02)
- Re: File Upload with changed extension Tobias Wassermann (Dec 03)
- Re: File Upload with changed extension Seth Art (Dec 03)
- Re: File Upload with changed extension Paul Burbage (Dec 03)
- Re: File Upload with changed extension Tobias Wassermann (Dec 03)
- Re: File Upload with changed extension Guillermo Caminer (Dec 02)
- Re: File Upload with changed extension Michal Zalewski (Dec 03)
- Re: File Upload with changed extension Robin Wood (Dec 04)