File upload XSS

File upload XSS

Description

This script is possibly vulnerable to XSS (Cross-site scripting). The web application allows file upload and Acunetix was able to upload a file containing HTML content. When HTML files are allowed, XSS payload can be injected in the file uploaded. Check Attack details for more information about this attack.

Remediation

Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.png. Check for files without a filename like .htaccess (on ASP.NET, check for configuration files like web.config). Change the permissions on the upload folder so the files within it are not executable. If possible, rename the files that are uploaded.

References

OWASP Unrestricted File Upload

Why File Upload Forms are a major security threat

Testing for Stored Cross site scripting (OWASP-DV-002)

Related Vulnerabilities

WordPress Plugin TagNinja 'id' Parameter Cross-Site Scripting (1.0)

WordPress Plugin Relevanssi-A Better Search Cross-Site Scripting (4.0.4)

WordPress Plugin Cart66 Lite::WordPress Ecommerce Cross-Site Scripting (1.5.4)

WordPress Plugin Ultimate Member-User Profile & Membership Arbitrary File Upload (1.0.83)

WordPress Plugin Tiny URL Cross-Site Scripting (1.3.2)                                     

 

Recommendation
Rootshell Security recommends that in most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain.

For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML meta characters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc.).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

 

作者:Chuck Lu    GitHub