CWE-434 Base Brouillon Medium likelihood

Unrestricted Upload of File with Dangerous Type

This vulnerability occurs when an application accepts file uploads without properly restricting the file types, allowing attackers to upload and execute malicious files on the server.

Définition

What is CWE-434?

This vulnerability occurs when an application accepts file uploads without properly restricting the file types, allowing attackers to upload and execute malicious files on the server.
At its core, this flaw is about trust. Applications often treat uploaded files as safe data, but without strict validation, an attacker can upload a script, executable, or other dangerous file type. When the server stores this file in a web-accessible location and later processes or serves it, the malicious code can execute with the application's own privileges, leading to complete system compromise. To prevent this, developers must implement a multi-layered defense. This includes using an allow-list approach for file extensions, verifying the file's actual content (not just its claimed type), storing uploads outside the web root, and ensuring files are served with secure, non-executable permissions. Relying solely on client-side checks or obscuring upload locations is insufficient, as these are easily bypassed by a determined attacker.
Vulnerability Diagram CWE-434
Unrestricted File Upload Upload form shell.php Server save to /uploads/ no MIME / ext check .php executable here GET /uploads/shell.php → webshell, RCE Uploaded scripts land in an executable directory and run as the server.
Impact réel

Real-world CVEs caused by CWE-434

  • CVE-2023-5227

    PHP-based FAQ management app does not check the MIME type for uploaded images

  • CVE-2001-0901

    Web-based mail product stores ".shtml" attachments that could contain SSI

  • CVE-2002-1841

    PHP upload does not restrict file types

  • CVE-2005-1868

    upload and execution of .php file

  • CVE-2005-1881

    upload file with dangerous extension

  • CVE-2005-0254

    program does not restrict file types

  • CVE-2004-2262

    improper type checking of uploaded files

  • CVE-2006-4558

    Double "php" extension leaves an active php extension in the generated filename.

Comment les attaquants l'exploitent

Parcours de l'attaquant étape par étape

  1. 1

    The following code intends to allow a user to upload a picture to the web server. The HTML code that drives the form on the user end has an input field of type "file".

  2. 2

    Once submitted, the form above sends the file to upload_picture.php on the web server. PHP stores the file in a temporary location until it is retrieved (or discarded) by the server side code. In this example, the file is moved to a more permanent pictures/ directory.

  3. 3

    The problem with the above code is that there is no check regarding type of file being uploaded. Assuming that pictures/ is available in the web document root, an attacker could upload a file with the name:

  4. 4

    Since this filename ends in ".php" it can be executed by the web server. In the contents of this uploaded file, the attacker could use:

  5. 5

    Once this file has been installed, the attacker can enter arbitrary commands to execute using a URL such as:

Exemple de code vulnérable

Vulnerable PHP

Once submitted, the form above sends the file to upload_picture.php on the web server. PHP stores the file in a temporary location until it is retrieved (or discarded) by the server side code. In this example, the file is moved to a more permanent pictures/ directory.

Vulnérable PHP 
```
// Define the target location where the picture being* 
  
  
   *// uploaded is going to be saved.* 
  $target = "pictures/" . basename($_FILES['uploadedfile']['name']);
  
  
   *// Move the uploaded file to the new location.* 
  if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target))
  {
  ```
  	echo "The picture has been successfully uploaded.";
  }
  else
  {
  	echo "There was an error uploading the picture, please try again.";
  }
Charge utile de l'attaquant

The problem with the above code is that there is no check regarding type of file being uploaded. Assuming that pictures/ is available in the web document root, an attacker could upload a file with the name:

Charge utile de l'attaquant 
malicious.php
Exemple de code sécurisé

Secure HTML

The following code intends to allow a user to upload a picture to the web server. The HTML code that drives the form on the user end has an input field of type "file".

Sécurisé HTML 
<form action="upload_picture.php" method="post" enctype="multipart/form-data">
  Choose a file to upload:
  <input type="file" name="filename"/>
  <br/>
  <input type="submit" name="submit" value="Submit"/>
  </form>
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention

How to prevent CWE-434

  • Architecture and Design Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
  • Architecture and Design When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
  • Architecture and Design Consider storing the uploaded files outside of the web document root entirely. Then, use other mechanisms to deliver the files dynamically. [REF-423]
  • Implementation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. For example, limiting filenames to alphanumeric characters can help to restrict the introduction of unintended file extensions.
  • Architecture and Design Define a very limited set of allowable extensions and only generate filenames that end in these extensions. Consider the possibility of XSS (CWE-79) before allowing .html or .htm file types.
  • Implementation Ensure that only one extension is used in the filename. Some web servers, including some versions of Apache, may process files based on inner extensions so that "filename.php.gif" is fed to the PHP interpreter.[REF-422] [REF-423]
  • Implementation When running on a web server that supports case-insensitive filenames, perform case-insensitive evaluations of the extensions that are provided.
  • Architecture and Design For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Signaux de détection

How to detect CWE-434

Dynamic Analysis with Automated Results Interpretation SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Web Application Scanner Web Services Scanner Database Scanners

Dynamic Analysis with Manual Results Interpretation SOAR Partial

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Fuzz Tester Framework-based Fuzzer

Manual Static Analysis - Source Code High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)

Automated Static Analysis - Source Code High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Source code Weakness Analyzer Context-configured Source Code Weakness Analyzer

Architecture or Design Review High

According to SOAR [REF-1479], the following detection techniques may be useful: ``` Highly cost effective: ``` Formal Methods / Correct-By-Construction ``` Cost effective for partial coverage: ``` Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)

Correction automatique Plexicus

Plexicus détecte automatiquement CWE-434 et ouvre une PR de correction en moins de 60 secondes.

Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.

Obtenir une démo Essayer Plexicus gratuitement
Questions fréquentes

Frequently asked questions

Qu'est-ce que CWE-434 ?

This vulnerability occurs when an application accepts file uploads without properly restricting the file types, allowing attackers to upload and execute malicious files on the server.

Quelle est la gravité de CWE-434 ?

MITRE évalue la probabilité d'exploitation comme Moyenne — l'exploitation est réaliste mais nécessite généralement des conditions spécifiques.

Quels langages ou plateformes sont affectés par CWE-434 ?

MITRE lists the following affected platforms: ASP.NET, PHP, Web Server.

Comment puis-je prévenir CWE-434 ?

Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Comment Plexicus détecte et corrige CWE-434 ?

Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-434 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.

Où puis-je en savoir plus sur CWE-434 ?

MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/434.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.

Faiblesses associées

Weaknesses related to CWE-434

CWE-669 Parent

Incorrect Resource Transfer Between Spheres

This vulnerability occurs when an application incorrectly moves or shares a resource (like data, permissions, or functionality) between…

CWE-1420 Frère

Exposure of Sensitive Information during Transient Execution

Transient execution vulnerabilities occur when a processor speculatively runs operations that don't officially commit, potentially leaking…

CWE-212 Frère

Improper Removal of Sensitive Information Before Storage or Transfer

This vulnerability occurs when an application stores or transmits a resource containing sensitive data without properly cleaning it first,…

CWE-243 Frère

Creation of chroot Jail Without Changing Working Directory

This vulnerability occurs when a program creates a chroot jail but fails to change its current working directory afterward. Because the…

CWE-494 Frère

Download of Code Without Integrity Check

This vulnerability occurs when an application fetches and runs code from an external source—like a remote server or CDN—without properly…

CWE-565 Frère

Reliance on Cookies without Validation and Integrity Checking

This vulnerability occurs when an application uses cookies to make security decisions—like granting access or changing settings—but fails…

CWE-829 Frère

Inclusion of Functionality from Untrusted Control Sphere

This weakness occurs when an application integrates executable code, like a library or plugin, from a source it does not fully control or…

CWE-351 Pair

Insufficient Type Distinction

This vulnerability occurs when an application fails to properly differentiate between different types of data or objects, leading to…

CWE-436 Pair

Interpretation Conflict

An interpretation conflict occurs when two systems process the same data or sequence of events differently, leading one system to make…

Ressources

Further reading

Prêt quand vous l'êtes

Arrêtez de payer par développeur.
Commencez à fermer la boucle.

Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.

Commencer gratuitement Réserver une démo