IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [file-upload]

File upload means sending a file from a local system to a remote system such as a server or another client with the intent that the remote system should store a copy of the file being transferred.

286 questions
18
votes
3 answers

What is the next step of this file upload attack?

Yesterday I discovered somebody had uploaded this PHP code to my server as a .jpg file via my asp.net MVC application's "Upload your profile picture" form. I believe the attack was unsuccessful for a number of reasons (the images are given random…
Jared Phelps
  • 291
  • 2
  • 5
17
votes
3 answers

Using file extension and MIME type (as output by file -i -b) combination to determine unsafe files?

We allow users to upload a number of files, all of which we either send over to scribd (doc, xls, ppts, etc) or display as a video ourselves (flv, mov, mp4, etc in flowplayer). To avoid users uploading unsafe files, we check against a set of known…
siliconpi
  • 1,087
  • 1
  • 10
  • 20
16
votes
3 answers

Exploiting a PHP server with a .jpg file upload

I would like to ask a question regarding the classic uploading an image and executing php code exploit on a website. So I have been trying out this exploit a website I'm supposed to hack (It's set up for us to try and hack it) The webpage allows us…
bruce kent
  • 161
  • 1
  • 1
  • 3
14
votes
3 answers

Is it possible to inject HTML into image to provoke XSS?

Some answers mention that it's possible to inject attacker-controlled HTML into images and therefore provoke XSS. I guess that this HTML will be processed by browser only if hole exists in browser. So I think it's more a browser issue and there is…
Andrei Botalov
  • 5,267
  • 10
  • 45
  • 73
13
votes
3 answers

How does SFTP function without a manually generated public/private key pair

I am learning about SSH and how to use it to secure file transfers and commands between a windows machine and a Linux server. Everything that I have read so far indicates that I need to use an SFTP client (like WinSCP) to connect to my server and…
Hoytman
  • 493
  • 1
  • 6
  • 10
12
votes
5 answers

How insecure is FTP?

Okay, we know the drill: don't use FTP, use SFTP or FTPS. But what exactly is the risk being posed? The files themselves are sent unencrypted, and this may be fine, or disastrous, depending on what the code in them contains. But, if we're dealing…
Stumbler
  • 503
  • 4
  • 7
12
votes
2 answers

How to prevent XSS in SVG file upload?

Currently assessing an application, I found out that it is possible to submit an SVG file containing JavaScript (the app is also vulnerable to XXE). I wondered if there was a method to prevent those vulnerabilities and secure the SVG submission…
Nokosi Pow
  • 131
  • 1
  • 4
11
votes
3 answers

Why does OWASP suggest using POST over PUT for file uploads?

When browsing the OWASP security recommandations for file uploads, I ticked reading the following : Try to use POST method instead of PUT (or GET!) I don't see how one method is better than another from security perspective. Could someone shed…
Zenklys
  • 213
  • 2
  • 5
10
votes
2 answers

Antivirus for scanning anonymous file uploads

Since I have no experience with AV solutions on Unix-like environments, I would need help with suggestions on something that can be suitable for scanning files that are uploaded by anonymous users through a Web application. I'm mostly interested in…
Filip Dupanović
  • 205
  • 2
  • 7
10
votes
1 answer

Security measures and anti-virus on server to mitigate acting as a propagation vector

We have a web application for which I've been asked to add the ability to let users upload documents that will then be visible and downloadable by other users. Those documents will typically be images and audit documents that will initially be in…
Bruno Girin
  • 103
  • 5
10
votes
1 answer

How can I spoof the Mimetype of a file upload?

There are posts that says php mimetype isn't secure, or can be bypassed. How do people spoof the mimetype?
h00j
  • 756
  • 1
  • 7
  • 18
10
votes
1 answer

.JPEG File upload shell via EXIF comments

I came across this advisory recently and I'm a bit confused by both exploits, but specifically the file upload vulnerability. I don't understand how to actually exploit this condition (or even why this exists as a condition). I tried using a shell…
NULLZ
  • 11,426
  • 17
  • 77
  • 111
10
votes
4 answers

Making a Blacklist of filetypes to protect PHP application

I'm working in a PHP system where the user can upload files. I'm trying to protect the system from malicious codes, so I'm thinking about some type of blacklist of files that I've to block from upload. I know that a Whitelist is better than a…
James
  • 265
  • 2
  • 9
9
votes
2 answers

C# Image.FromStream is that secure?

after reading the data from the request as Stream i needed to convert it to Image so i used this Method: Stream inputStream = HttpContext.Current.Request.InputStream; Image img = Image.FromStream(inputStream) so while im unable to know what was in…
Yaniv
  • 191
  • 1
  • 2
9
votes
2 answers

Why should I restrict the content type of files be uploaded to my site?

We are building an application where users can upload resumes in our system for our administrators to download. We are having a debate about restricting the content type of the files that can be uploaded. I'm having a hard time piecing together…
Andy
  • 505
  • 2
  • 5
  • 11
1
2
3
19 20