CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.4)  

CWE-434: Unrestricted File Upload

Individual Definition in a New Window
Unrestricted File Upload
Status: Draft
Compound Element ID: 434 (Compound Element Base: Composite)
+ Description
Summary

The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

+ Alternate Terms
File Upload of Dangerous Type

Formerly called "File Upload of Dangerous Type"

+ Time of Introduction
* Implementation
+ Applicable Platforms
Languages
All
+ Observed Examples
ReferenceDescription
Web-based mail product stores ".shtml" attachments that could contain SSI
PHP upload does not restrict file types
improper type checking of uploaded files
program does not restrict file types
upload and execution of .php file
upload file with dangerous extension
ASP file upload
ASP file upload
Double "php" extension leaves an active php extension in the generated filename.
ASP program allows upload of .asp files by bypassing client-side checks
+ Potential Mitigations

Determine the size and type of files that users are expected to upload to your system. Take measures to assure that the files meet those requirements.

+ Other Notes

This can have a chaining relationship with incomplete blacklist / permissive whitelist errors when the product tries, but fails, to properly limit which types of files are allowed.

This can also overlap multiple interpretation errors for intermediaries, e.g. anti-virus products that do not filter attachments with certain file extensions that can be processed by client systems.

This can be primary when there is no check at all. If is frequently resultant when use of double extensions (e.g. ".php.gif") bypass sanity checks. Also resultant from client-side enforcement; some products will include web script in web clients to check the filename, without verifying on the server side.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory429Handler Errors
Development Concepts (primary)699
ChildOfWeakness ClassWeakness ClassWeakness Class669Incorrect Resource Transfer Between Spheres
Research Concepts (primary)1000
RequiresWeakness BaseWeakness BaseWeakness Base351Insufficient Type Distinction
Research Concepts1000
RequiresWeakness BaseWeakness BaseWeakness Base436Interpretation Conflict
Research Concepts1000
PeerOfWeakness BaseWeakness BaseWeakness Base184Incomplete Blacklist
Research Concepts1000
PeerOfWeakness BaseWeakness BaseWeakness Base183Permissive Whitelist
Research Concepts1000
PeerOfWeakness ClassWeakness ClassWeakness Class216Containment Errors (Container Errors)
Research Concepts1000
PeerOfWeakness BaseWeakness BaseWeakness Base436Interpretation Conflict
Research Concepts1000
PeerOfWeakness BaseWeakness BaseWeakness Base430Deployment of Wrong Handler
Research Concepts1000
ChildOfCategoryCategory632Weaknesses that Affect Files or Directories
Resource-specific Weaknesses (primary)631
ChildOfCategoryCategory714OWASP Top Ten 2007 Category A3 - Malicious File Execution
Weaknesses in OWASP Top Ten (2007) (primary)629
CanFollowWeakness BaseWeakness BaseWeakness Base184Incomplete Blacklist
Research Concepts1000
CanFollowWeakness ClassWeakness ClassWeakness Class73External Control of File Name or Path
Research Concepts1000
+ Research Gaps

PHP applications are most targeted, but this likely applies to other languages that support file upload, as well as non-web technologies. ASP applications have also demonstrated this problem.

+ Affected Resources
* File/Directory
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVER  Unrestricted File Upload
OWASP Top Ten 2007A3CWE More SpecificMalicious File Execution
+ References
Richard Stanway (r1CH). "Dynamic File Uploads, Security and You". <http://shsc.info/FileUploadSecurity>.
+ Content History
Submissions
PLOVER. (Externally Mined)
Modifications
Eric Dalci. Cigital. 2008-07-01. (External)
updated Time_of_Introduction
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Alternate_Terms, Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team. MITRE. 2009-01-12. (Internal)
updated Relationships
Page Last Updated: May 26, 2009