1.2.1305. Upload Filename Injection

When receiving a file via Upload, it is recommended to store it under a self-generated name. Any storage that uses the original filename, or even a part of it may be vulnerable to injections.

It is highly recommended to validate any incoming file, generate a name for it, and store the result in a folder outside the web folder. Also, avoid accepting PHP scripts, if possible.

<?php

// Security error ! the $_FILES['upload']['filename'] is provided by the sender.
// 'a.<script>alert(\'a\')</script>'; may lead to a HTML injection.
$extension = substr( strrchr($_FILES['upload']['name'], '.') ,1);
if (!in_array($extension, array('gif', 'jpeg', 'jpg')) {
    // process error
    continue;
}
// Md5 provides a name without special characters
$name = md5($_FILES['upload']['filename']);
if(@move_uploaded_file($_FILES['upload']['tmp_name'], '/var/no-www/upload/'.$name.'.'.$extension)) {
    safeStoring($name.'.'.$extension, $_FILES['upload']['filename']);
}

// Security error ! the $_FILES['upload']['filename'] is provided by the sender.
if(@move_uploaded_file($_FILES['upload']['tmp_name'], $_FILES['upload']['filename'])) {
    safeStoring($_FILES['upload']['filename']);
}

// Security error ! the $_FILES['upload']['filename'] is provided by the sender.
// 'a.<script>alert('a')</script>'; may lead to a HTML injection.
$extension = substr( strrchr($_FILES['upload']['name'], '.') ,1);
$name = md5($_FILES['upload']['filename']);
if(@move_uploaded_file($_FILES['upload']['tmp_name'], $name.'.'.$extension)) {
    safeStoring($name.'.'.$extension, $_FILES['upload']['filename']);
}

?>

See also [CVE-2017-6090], CWE-616: Incomplete Identification of Uploaded File Variables and Why File Upload Forms are a Major Security Threat.

1.2.1305.1. Suggestions

  • Validate uploaded filenames

  • Rename files upon storage, and keep the original name in a database

1.2.1305.2. Specs

Short name

Security/UploadFilenameInjection

Rulesets

All, Security

Exakat since

0.12.14

PHP Version

All

Severity

Major

Time To Fix

Instant (5 mins)

Precision

High

Features

upload

Available in

Entreprise Edition, Exakat Cloud