Share on :
Allowing users to upload files to the servers can be very dangerous if the files aren't checked in a correct way which may lead to various attacks varying from XSS, XXE to RCE
If xml files on the server are getting parsed by a vulnerable XXE parser it'll allow the user to read internal files, making internal requests SSRF and even worse executing OS commands on the server CI.
../
he'll be able to traverse directories and place a file in any directory on the server allowing them for example to put their own SSH keys. An interresting scenario of this is the ZIP-Slip vulnerability which uses a zip file including file names having the ../
prefix, so when the zip file is extracted, the files are placed in any directory on the server.Crossdomain.xml
will lead to bypassing CORS policy for flash files..htaccess
file may lead to executing safe file extensions as codeEven if you checked correctly the extension can be reversed on a windows server using the RTLO character %E2%80%AE
so if you upload a file name sj.live
using the RTLO it can be reversed to evil.js
Windows defender has a dll called mpengine.dll
which analyzes JS files and executes them after checking them which can be used like in this case of a CTF write-up
Vulnerable Antiviruses scanning uploaded files may lead to executing commands