code

How We Bypassed File Upload Restrictions

Author: Snir Aviv

/ 5 minutes read


Introduction

During a penetration test conducted on a web application, a critical finding was discovered, which permitted uploading malicious files into the application’s server, leading to the execution of arbitrary operating system commands remotely.
The application allows interaction with a dedicated chatbot for a variety of purposes. The logic included the option of uploading document files into the chat.

How we Found the Critical Finding

Step 1: Testing the File Upload Mechanism

After logging in to the web application we noticed a file upload mechanism that is used for uploading documents and images to the system. While uploading a PNG file, we noticed that the application returns the full path of the uploaded file in the HTTP response, which seems to be an interesting start.

We then tried to upload file types that are not allowed by the application’s logic, such as a PHP file as the backend uses PHP technology. We received an HTTP 403 Forbidden response code, meaning that the system blocked the attempt:

The Mechanism may Enforce Against Arbitrary Files

Step 2: Bypassing the Restrictions

Although the system blocked our file upload attempts, we continued looking for other techniques. Ultimately, we noticed that it is possible to bypass the restriction by appending the magic numbers (signatures) that belong to a GIF image into the original PHP file. Therefore, we were able to upload any type of file as it turns out that the system does not verify the MIME type of the uploaded file properly:

Uploading Forbidden File Types Successfully

Step 3: Putting All Together and Exploit

Once the exploit has been established, we managed to upload files that enable the execution of arbitrary operating system commands. As a result, we could read any file located on the system’s server. 

Bypassing the file type restrictions allowed us to retrieve clear-text credentials and utilize them to access the database, and finally extract users’ private information, such as email addresses and passwords, thus obtaining highly sensitive information of users in the system:

Leveraging the Vulnerability and Fetching Database Credentials

Mitigation

In these cases, Clear Gate advises verifying the file upload mechanism in a way that performs the following checks before processing the uploaded file:

  • Confirm that the file content is identical to the MIME type supplied in the Content-Type parameter.
  • The filename parameter does not contain special characters.
  • Use a case-sensitive allow list method to check the uploaded file extension. For example, for images, use GIF, PNG, JPEG, JPG, and BMP.
  • Verify that the uploaded file is not malicious using static and dynamic analysis technologies.
  • Verify that the uploaded file size does not exceed the predetermined size by the business logic. For example, 15 Megabytes.

Moreover, it is recommended to avoid using absolute paths to access the uploaded file and disable the execution of arbitrary file types, such as PHP, in the predetermined upload directory.

References

Unrestricted File Upload Vulnerabilities and Remediation – OWASP



top