-1

I want to test a file upload functionality and I wasn't able to upload exe files, but I could upload file.exe.jpg (adding jpg extension). What threat this file possesses after it uploaded on the server?

one
  • 1,781
  • 3
  • 18
  • 45
  • This is not my area of expertise but maybe this will help you: [Block upload of executable images (PHP)](http://stackoverflow.com/questions/2851976/block-upload-of-executable-images-php) – Bomskie May 18 '16 at 11:23
  • I do not see an immediate thread when an executable is uploaded to a server with the file extension .jpg However, it is recommended to determine header of the uploaded file. This can be done by checking the mime type (mime_content_type) If the PHP version is older, you can try to perform null byte injection. E.g. upload a file called "myfile.exe%00.jpg" – Jeroen May 18 '16 at 13:40

1 Answers1

3

First as a little sidenote, a xyz.exe.com.bat.jpg file could be a technically valid image file, and should not be blocked for upload unless you willingly want to limit functionalities (which could be acceptable - just saying)

Now to answer your question : a xyz.exe.jpg file or a xyz.jpg file pose almost the same threat after having been uploaded to your server.

First, what additional threat would a malware executable file have, somewhat disguised by appending .jpg at the end ? If your application simply parses images (without trying to execute the content of the images as binary, which is probably the case of 99,9999% of apps) to display them, or simply transmits them over the wire (for a simple website), there is no additional risk due to an automated process (displaying, transferring..). The only additional risk would occur if a curious person would rename the file into a .exe extension and run it willingly on a machine as an executable file

Now, a technically displayable (or simply a file finishing with .jpg) image could leverage a bug in an image parsing piece of code (typically a library that you would use to, for example, crop or resize images). In such a case, a .exe.jpg disguised executable would not have any effect on the parser. Only a carefully crafted file, tailored especially for the library that you use, would be able to leverage anything, and that would happen during the parsing.

To sum it up : a .exe.jpg executable processed by a normal image parsing piece of code is harmless, since it would not be executed by the parsing code

As a final note, checking if the file is indeed a technically valid image before doing any further processing is generally a good idea, if you have enough resources to do so. Again, in such a case, a bug in the "file type checker" library could be leveraged. But at least, a xyz.exe.jpg executable would not pass validation

niilzon
  • 1,587
  • 2
  • 10
  • 17
  • 2
    Right. However, if there is another vulnerability in the system (for example, a *local file inclusion vulnerability*), then the situation might be different and the manipulated file could be used for a more advanced attack. – Lukas May 18 '16 at 14:17