CWE - CWE-434: Unrestricted File Upload (1.4)

Home > CWE List > CWE- Individual Dictionary Definition (1.4)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-434: Unrestricted File Upload

Individual Definition in a New Window

Unrestricted File Upload

Status: Draft

Compound Element ID: 434 (Compound Element Base: Composite)

Description

Summary

The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

Alternate Terms

File Upload of Dangerous Type

Formerly called "File Upload of Dangerous Type"

Time of Introduction

Implementation

Applicable Platforms

Languages

All

Observed Examples

Reference	Description
CVE-2001-0901	Web-based mail product stores ".shtml" attachments that could contain SSI
CVE-2002-1841	PHP upload does not restrict file types
CVE-2004-2262	improper type checking of uploaded files
CVE-2005-0254	program does not restrict file types
CVE-2005-1868	upload and execution of .php file
CVE-2005-1881	upload file with dangerous extension
CVE-2005-3288	ASP file upload
CVE-2006-2428	ASP file upload
CVE-2006-4558	Double "php" extension leaves an active php extension in the generated filename.
CVE-2006-6994	ASP program allows upload of .asp files by bypassing client-side checks

Potential Mitigations

Determine the size and type of files that users are expected to upload to your system. Take measures to assure that the files meet those requirements.

Other Notes

This can have a chaining relationship with incomplete blacklist / permissive whitelist errors when the product tries, but fails, to properly limit which types of files are allowed.

This can also overlap multiple interpretation errors for intermediaries, e.g. anti-virus products that do not filter attachments with certain file extensions that can be processed by client systems.

This can be primary when there is no check at all. If is frequently resultant when use of double extensions (e.g. ".php.gif") bypass sanity checks. Also resultant from client-side enforcement; some products will include web script in web clients to check the filename, without verifying on the server side.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	429	Handler Errors	Development Concepts (primary)699
ChildOf	Weakness Class	669	Incorrect Resource Transfer Between Spheres	Research Concepts (primary)1000
Requires	Weakness Base	351	Insufficient Type Distinction	Research Concepts1000
Requires	Weakness Base	436	Interpretation Conflict	Research Concepts1000
PeerOf	Weakness Base	184	Incomplete Blacklist	Research Concepts1000
PeerOf	Weakness Base	183	Permissive Whitelist	Research Concepts1000
PeerOf	Weakness Class	216	Containment Errors (Container Errors)	Research Concepts1000
PeerOf	Weakness Base	436	Interpretation Conflict	Research Concepts1000
PeerOf	Weakness Base	430	Deployment of Wrong Handler	Research Concepts1000
ChildOf	Category	632	Weaknesses that Affect Files or Directories	Resource-specific Weaknesses (primary)631
ChildOf	Category	714	OWASP Top Ten 2007 Category A3 - Malicious File Execution	Weaknesses in OWASP Top Ten (2007) (primary)629
CanFollow	Weakness Base	184	Incomplete Blacklist	Research Concepts1000
CanFollow	Weakness Class	73	External Control of File Name or Path	Research Concepts1000

Research Gaps

PHP applications are most targeted, but this likely applies to other languages that support file upload, as well as non-web technologies. ASP applications have also demonstrated this problem.

Affected Resources

File/Directory

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Unrestricted File Upload
OWASP Top Ten 2007	A3	CWE More Specific	Malicious File Execution

References

Richard Stanway (r1CH). "Dynamic File Uploads, Security and You". <http://shsc.info/FileUploadSecurity>.

Content History

Submissions

PLOVER. (Externally Mined)

Modifications

Eric Dalci. Cigital. 2008-07-01. (External)

updated Time_of_Introduction

CWE Content Team. MITRE. 2008-09-08. (Internal)

updated Alternate_Terms, Relationships, Other_Notes, Taxonomy_Mappings

CWE Content Team. MITRE. 2009-01-12. (Internal)

updated Relationships

Page Last Updated: May 26, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us