CWE-SANS-Top-25/Insecure-interaction-between-components/CWE-434

From aldeid
Jump to: navigation, search

CWE-434: Unrestricted Upload of File with Dangerous Type

Description

Many web applications enable file upload (images, avatars, documents, ...). If it hasn't a proper filtering mechanism, the application is likely to accept other files than pictures and documents. For example, an attacker could exploit it to download a PHP script, disguised with a gif extension.

Risk measurement

Weakness Prevalence Common
Remediation Cost Medium
Attack Frequency Sometimes
Consequences Code execution
Ease of Detection Moderate
Attacker Awareness Medium

Comments

Talk:CWE-SANS-Top-25/Insecure-interaction-between-components/CWE-434