CWE-SANS-Top-25/Insecure-interaction-between-components/CWE-434
Jump to navigation
Jump to search
CWE-434: Unrestricted Upload of File with Dangerous Type
Description
Many web applications enable file upload (images, avatars, documents, ...). If it hasn't a proper filtering mechanism, the application is likely to accept other files than pictures and documents. For example, an attacker could exploit it to download a PHP script, disguised with a gif extension.
Risk measurement
| Weakness Prevalence | Common |
|---|---|
| Remediation Cost | Medium |
| Attack Frequency | Sometimes |
| Consequences | Code execution |
| Ease of Detection | Moderate |
| Attacker Awareness | Medium |
Comments
Talk:CWE-SANS-Top-25/Insecure-interaction-between-components/CWE-434