Common mistakes in implementation of file uploading


Recently, a new hompeage is being built in the laboratory where I belong to. Just for fun, I’ve tried couple of XSS attacks and file upload attacks.

I’d like to mention file upload vulnerabilities I’ve found at the site. Firstly, I’ve upload ‘a.php’. The server program automatically changed the file extenstion to ‘a.phpx’. Okay, the site fulfilled its basic responsibility. So I tried, ‘a.php.php’. Then, the server changed the extentsion to ‘a.phpx.phpx’.

At this point, it is manifest that the server do something like ‘replace(argument, “php”, “phpx”)’. So, I tried, ‘a.PHP’. What do you think the result was? Actually, I’ve succeeded in uploading the file. Then, it was easy to get database account & password from the site.

I’ve requested the developer to be cautious when checking the file extensions and reported that ‘PHP’ is uploadable. Later, to doublecheck the security of the web site, I tried ‘a.PHP’. At this time, file name changed to ‘a.phpx’. Thus, I tried ‘a.pHp’, and I succeded in getting user account and password.

The developer is changing the code again. At this time, I want the code to be complete.


2 responses to “Common mistakes in implementation of file uploading”

  1. 이희승 Avatar

    요즘 영어로 글쓰시나요 헙..;

  2. 민구 Avatar

    넹… 그냥 바람이 불어서. 나중에 아마 논문 쓰느라 내내 영작만 해야되는 시절이 온다거나, 만사가 귀찮아진다거나 하면 다시 한국어로 돌아갈 계획이예요..^^

Leave a Reply

Your email address will not be published. Required fields are marked *