File upload means sending a file from a local system to a remote system such as a server or another client with the intent that the remote system should store a copy of the file being transferred.
Questions tagged [file-upload]
286 questions
8
votes
2 answers
What does it mean to have a "file name with NULL bytes in serialized instances"?
I was browsing this page, which redirected me to this vulnerability because I'm a Java developer and I'm aware of the affected library.
Basically the vulnerability says:
It was discovered that Apache Commons FileUpload incorrectly handled
file…
Muhammad Gelbana
- 191
- 1
- 1
- 5
8
votes
2 answers
What are the potential vulnerabilities of allowing a large http body size?
With NGINX and PHP I am allowing 5GB files to be 'uploaded' to my server although they will not be downloaded unless they are 'legitimate' (that is for another question ;)). I was wondering is this is making it easier for DDOS attacks or other…
maxisme
- 383
- 1
- 3
- 11
8
votes
1 answer
CSRF attack on file upload functionality
Is it possible to perform CSRF attacks on file upload functionality? My application uploads files by sending multipart/form-data POST requests without any random token. Is it possible to prepare a HTML form which will demonstrate this attack on the…
user187205
- 1,163
- 3
- 15
- 24
8
votes
3 answers
How to safely allow upload of executable files
I need help regarding file uploading. In one of my projects the client wants to allow a file upload without restrictions on the file type. But I'm afraid that then users can upload executable files like .php, .aspx, .dll, .so and then they can…
Ravi
- 89
- 1
- 6
8
votes
5 answers
How should I serve untrusted / unsanitized documents (PDF, DOC, XLS) to end users over the web?
My website will be hosting documents for end users and I would like to make this as secure as possible.
Question
Assuming that I have a need to share documents on a website that may contain hostile code, what should I do to protect myself and my end…
makerofthings7
- 50,090
- 54
- 250
- 536
7
votes
3 answers
PHP | Security for allowing user uploads
My Situation:
I am creating a web application with PHP which allows users to scan their files for viruses. It allows the user to upload their files via the html "file" input type or via a URL. I have successfully built the html and PHP side of…
Jimmy
- 99
- 4
7
votes
6 answers
How to defend vs. Image Remote File Inclusion, e.g. RFI using a .gif file (Apache/PHP)?
To defend versus Remote File Inclusion where attackers try to abuse image files, I usually recommend to never use include to include image files into PHP code.
Sometimes though, the avoidance of image includes may be not possible at all (for…
Jürgen Thelen
- 181
- 1
- 7
7
votes
3 answers
is it safe to allow external images to be attached to Blog or any Web content?
I am filtering all images that attached to any content of my blog:
Check for file extension.
Check content type using $finfo = finfo_open(FILEINFO_MIME_TYPE);
I also save the image temporary on my server and check the size using getimagesize() then…
Akam
- 1,327
- 3
- 14
- 23
7
votes
4 answers
Is it necessary to scan users' file uploads by antivirus?
Web application allows users to upload files. Is it necessary to scan those files by antivirus?
I'd want to hear answer in two scenarios:
Type of file isn't checked when uploading. They are stored in folder that isn't directly accessible from the…
Andrei Botalov
- 5,267
- 10
- 45
- 73
6
votes
4 answers
Worst case scenario of having the ability to remotely write files to disk as admin
I'm working on creating a program ("My Program") that will communicate with another program ("Their Program") via XML commands over a raw TCP/IP connection. Their program allows files to be written to the disk remotely with administrator privileges.…
Matt
- 165
- 8
6
votes
2 answers
Directory transversal in PHP with the $_FILES array?
I'm working on a php application that is handling file upload.
I'm trying to inject a path transversal payload in the filename such as /../../../../etc/.
The thing is that the vulnerable line of code is using the filename through the $_FILES["name"]…
KB303
- 423
- 2
- 5
- 15
6
votes
3 answers
Recreating uploads/linked images with imagecreatefrom* php
As suggested on my StackOverflow question, I am now directing this towards the Information Security group, since no one was able to answer my question despite multiple up-votes.
User uploaded images account for a large portion of the content on the…
DanL
- 173
- 7
5
votes
5 answers
Should there be an anti-virus used on client provided files?
This is based on Stack Exchange podcast # 25.
I really don't understand why there would need to be virus checking on uploaded files. It would generally be a bad idea to execute anything which was uploaded, so, so long as you make sure the files…
cwallenpoole
- 181
- 4
5
votes
3 answers
Is it possible for a hacker to bypass upload php file?
I wanna give a filtering system in my script.
here it is :
Imran Abdur Rahim
- 207
- 2
- 3
- 8
5
votes
1 answer
Is it possible to get XSS through uploading an image via the filename?
I just wanted to know if its possible...
If i have an image i.e abc.jpeg and i rename it to an XSS vector such as 
.jpeg will it successfully produce the XSS or is there actually another way to do this...
sheppard
- 59
- 4