From aldeid
Jump to: navigation, search

CWE-434: Unrestricted Upload of File with Dangerous Type


Many web applications enable file upload (images, avatars, documents, ...). If it hasn't a proper filtering mechanism, the application is likely to accept other files than pictures and documents. For example, an attacker could exploit it to download a PHP script, disguised with a gif extension.

Risk measurement

Weakness Prevalence Common
Remediation Cost Medium
Attack Frequency Sometimes
Consequences Code execution
Ease of Detection Moderate
Attacker Awareness Medium