CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.6)  

CWE-434: Unrestricted File Upload

 
Unrestricted File Upload
Compound Element ID: 434 (Compound Element Base: Composite)Status: Draft
+ Description

Description Summary

The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
+ Alternate Terms
File Upload of Dangerous Type:

Formerly called "File Upload of Dangerous Type"

+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

All

+ Observed Examples
ReferenceDescription
CVE-2001-0901Web-based mail product stores ".shtml" attachments that could contain SSI
CVE-2002-1841PHP upload does not restrict file types
CVE-2005-1868upload and execution of .php file
CVE-2005-1881upload file with dangerous extension
CVE-2005-0254program does not restrict file types
CVE-2004-2262improper type checking of uploaded files
CVE-2006-4558Double "php" extension leaves an active php extension in the generated filename.
CVE-2006-6994ASP program allows upload of .asp files by bypassing client-side checks
CVE-2005-3288ASP file upload
CVE-2006-2428ASP file upload
+ Potential Mitigations
PhaseDescription

Determine the size and type of files that users are expected to upload to your system. Take measures to assure that the files meet those requirements.

+ Other Notes

This can have a chaining relationship with incomplete blacklist / permissive whitelist errors when the product tries, but fails, to properly limit which types of files are allowed.

This can also overlap multiple interpretation errors for intermediaries, e.g. anti-virus products that do not filter attachments with certain file extensions that can be processed by client systems.

This can be primary when there is no check at all. If is frequently resultant when use of double extensions (e.g. ".php.gif") bypass sanity checks. Also resultant from client-side enforcement; some products will include web script in web clients to check the filename, without verifying on the server side.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
PeerOfWeakness BaseWeakness Base183Permissive Whitelist
Research Concepts1000
PeerOfWeakness BaseWeakness Base184Incomplete Blacklist
Research Concepts1000
PeerOfWeakness ClassWeakness Class216Containment Errors (Container Errors)
Research Concepts1000
RequiresWeakness BaseWeakness Base351Insufficient Type Distinction
Research Concepts1000
ChildOfCategoryCategory429Handler Errors
Development Concepts (primary)699
PeerOfWeakness BaseWeakness Base430Deployment of Wrong Handler
Research Concepts1000
RequiresWeakness BaseWeakness Base436Interpretation Conflict
Research Concepts1000
PeerOfWeakness BaseWeakness Base436Interpretation Conflict
Research Concepts1000
ChildOfCategoryCategory632Weaknesses that Affect Files or Directories
Resource-specific Weaknesses (primary)631
ChildOfWeakness ClassWeakness Class669Incorrect Resource Transfer Between Spheres
Research Concepts (primary)1000
ChildOfCategoryCategory714OWASP Top Ten 2007 Category A3 - Malicious File Execution
Weaknesses in OWASP Top Ten (2007) (primary)629
CanFollowWeakness ClassWeakness Class73External Control of File Name or Path
Research Concepts1000
CanFollowWeakness BaseWeakness Base184Incomplete Blacklist
Research Concepts1000
+ Research Gaps

PHP applications are most targeted, but this likely applies to other languages that support file upload, as well as non-web technologies. ASP applications have also demonstrated this problem.

+ Affected Resources
  • File/Directory
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERUnrestricted File Upload
OWASP Top Ten 2007A3CWE More SpecificMalicious File Execution
+ References
Richard Stanway (r1CH). "Dynamic File Uploads, Security and You". <http://shsc.info/FileUploadSecurity>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Alternate Terms, Relationships, Other Notes, Taxonomy Mappings
2009-01-12CWE Content TeamMITREInternal
updated Relationships
Page Last Updated: October 29, 2009