Luke a Pro

Luke Sun

Developer & Marketer

🇺🇦
EN||
© 2015–2026 Luke Sun.
All rights reserved.

File Upload Vulnerabilities

| , 3 minutes reading.

1. Definition

File Upload Vulnerabilities occur when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type, contents, or size.

The most critical impact is Remote Code Execution (RCE): an attacker uploads a script (e.g., shell.php) which is then executed by the server.

2. Technical Explanation

Servers often determine how to handle a file based on its extension or MIME type.

  1. Extension Bypass: Attackers rename shell.php to shell.php.jpg or shell.php%00.jpg (Null Byte).
  2. MIME Spoofing: Changing the Content-Type header to image/jpeg while sending a PHP script.
  3. Polyglots: Creating a valid image file that also contains valid PHP code in its metadata (EXIF).

If the server saves this file to a public directory (e.g., /uploads) and the server is configured to execute PHP/ASP files in that directory, visiting site.com/uploads/shell.php executes the malware.

3. Attack Flow (Web Shell)

sequenceDiagram
    participant Attacker
    participant Server
    participant FS as FileSystem

    Attacker->>Server: POST /upload shell.php as shell.jpg
    Note right of Attacker: Content: PHP web shell code

    Server->>Server: Check Extension .jpg - Pass
    Server->>FS: Save to /var/www/uploads/shell.jpg

    Attacker->>Server: GET /uploads/shell.jpg
    Note right of Attacker: Server executes PHP because<br/>config allows .jpg to run as script<br/>or file was saved as .php
    
    Server-->>Attacker: Result of command execution

4. Real-World Case Study: ImageTragick (2016)

Target: Thousands of websites using ImageMagick. Vulnerability Class: File Processing / Command Injection (CVE-2016-3714).

The Vulnerability: ImageMagick is a library used by many sites (including Facebook and Yahoo at the time) to resize user-uploaded photos. It had a flaw in how it handled SVG (Vector) files. It supported “delegates” that could execute shell commands.

The Attack: An attacker uploaded a crafted image file (like exploit.jpg or exploit.mvg) containing:

fill 'url(https://example.com/image.jpg"|ls "-la)'

When the server attempted to “resize” this image, ImageMagick executed the ls -la command on the server. This allowed full RCE simply by uploading a profile picture.

5. Detailed Defense Strategies

A. List of Allowed Extensions (Allowlist)

Never use a blocklist (denying .php, .exe). Attackers will find .php5, .phtml, etc.

  • Allowlist: Only accept specific safe extensions: .jpg, .png, .pdf.

B. Validate Content (Magic Bytes)

Do not trust the file extension or the Content-Type header (these are user-controlled).

  • Mechanism: Read the first few bytes (Magic Number) of the file.
    • JPEG = FF D8 FF
    • PNG = 89 50 4E 47
  • Reject the file if the magic bytes do not match the extension.

C. Randomize Filenames

Never use the user-provided filename (my_vacation.jpg).

  • Defense: Rename the file to a UUID (f47ac10b...jpg) upon storage. This prevents overwriting critical system files and mitigates some directory traversal attempts.

D. Store Outside Webroot

Store uploaded files in a directory that is not accessible via the web server (e.g., an S3 bucket or a private folder). Serve them back via a controller that reads the file stream. This prevents the server from ever executing the file.

6. References