Malicious File Upload Description: If applications having file upload feature do not check for permissible
- file extension
- file size
- file content etc
then those applications are having malicious file upload vulnerability.
Impact:
- The server or computer system may get affected with virus or other malicious software if run after upload.
- The application may execute malicious code if the uploaded file has executable code in it and it is used to run as part of a program.
How to Fix:
- Check for File extensions and allow only permitted file extension such as pdf,CSV or text
- Implement file size checker to avoid Denial of Service by trying to upload too large files.
- Do not keep uploaded file under directories that have execute permissions.
- Assign the file uploaded with a random name, do not trust any input including file names.
- All validations should be done at server side only
- Install antivirus that detects any malicious file uploaded, in such case discard or delete the file and do not save it in computer system.
Hope this article has given some useful information on how to fix malicious file upload vulnerability. Please share if you liked this
