Vulnerability Name: Unrestricted File Upload on [Domain name]
Vulnerability Description: The application is vulnerable to unrestricted file uploads. Effective controls have not been implemented to restrict users from uploading malicious content to the web server. Files containing active code can be uploaded and executed on the server allowing for a number of serious attacks against the application and infrastructure.
[Content of malicious file uploaded on server]
Steps to Reproduce:
Login to the application.
Go to the [URL].
Upload the malicious file, say it as
Once uploaded, go to the [path of file uploaded].
You should see the web shell there.
This is Unrestricted file upload.
Snapshots or video link attached
Impact: Unrestricted file upload is a serious vulnerability with significant impact on the application and its infrastructure. An attacker with the ability to upload a malicious file to the application can set up drive-by-download attacks, deface the website, or gain access to the file system through a web shell. Once an attacker has remote access to the server, they can ex-filtrate sensitive data, compromise the integrity of application data, or cause denial of service to the application.
Attack Scenario: Suppose there's a unrestricted file upload vulnerability on some documents upload page, here the attacker can upload a web shell on that page, and find a way to access that shell. once he gets access then he can take down the whole company.
Remediation: Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.png. Check for files without a filename like .htaccess (on ASP.NET, check for configuration files like web.config). Change the permissions on the upload folder so the files within it are not executable. If possible, rename the files that are uploaded.