I am using a messenger app that's similar to WhatsApp.
This app allows me to send any type of files, like Html, Php, SWF etc. via text messages.
Is this a vulnerability?
I am using a messenger app that's similar to WhatsApp.
This app allows me to send any type of files, like Html, Php, SWF etc. via text messages.
Is this a vulnerability?
Not exactly a vulnerability accepting these files. The main problem is your application opening these files and interpreting them which can lead to:
What normally happens is an enhanced algorithm that detects these certain behaviours and content inside the application, or sandbox it to open within a certain memory which means you cant do anything besides at that point. As an example try write script tags in stacks answers and you will see that it doesnt allow you.
It depends.
Just because an application allows for files (of an variety) to be uploaded does not immediately point to there being a vulnerability. It is important to understand how the backend handles these files.
If the backend actually executes the file then you could potentially have a vulnerability, otherwise if the contents are merely displayed back to the user as text, or in a sandbox/preview sort of context, like how browsers display PDF documents, then there should be no issue because the application is helping to protect the user by deweaponizing it. Of course there could be edge cases where the file can be executed but that might indicate a 0day vuln or a not-up-to-date application.
It is entirely up to how you handle the untrusted data. If you render it in a way that it would be executed, then yes.
There are layers you need to approach, is there a file type you don't want, file size you don't want to exceed?