File uploads

  • Post date

Home Forums Calendar Products Community Events File uploads

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • January 14, 2016 at 9:18 pm #1056351
    Catherine Grant
    Participant

    Hi,

    We have recently had a security firm audit our website.
    One of the points they raised was with the validation of the file upload on the “Add Event” page.
    I’ll include what they provided as it’s explains it perfectly.
    Can you please let me know if this is something that can be looked at?

    Cheers!

    Description
    Insufficient File Upload Validation: The application does not perform sufficient validation on uploaded files. Unauthenticated attackers may upload malicious files which may be used to gain access to the application. Additionally, a lack of rate-limiting controls could result in.

    Additional Details
    The ‘add event’ functionality allows any unauthenticated users to upload files. There exists a filter for .jpg, .gif and .png image files, however the application was found to accept .php.<jpg/gif/png>, and .jpg’s with embedded php code. Although execution of the arbitrary shell files were denied, no validation was performed and they were successfully uploaded and accessible via their storage location on the web server.

    Recommendation
    Restrict uploaded files to a whitelist of file types and extensions. Cater for pre-extensions such as file.php.jpg. Perform a scan of content uploaded to the file for both malware and HTML code where possible. Configure the storage folders to deny execution rights and prevent direct access to these folders. Consider only allowing the upload/event creation functionality to authenticated users, and renaming files stored on the server or appending text to them when possible.

    January 15, 2016 at 6:28 am #1056617
    Barry
    Member

    Hi @grantdayjames:

    Thank you first of all for taking the time to report this issue. We take security issues very seriously and really appreciate you highlighting this.

    I’ll discuss this with the team and once we’ve examined the problem in some more detail we will then take any further action that might be needed.

    As a temporary measure, you could install and activate this plugin which should guard against most of the issues you described.

    Thanks once again and of course we’ll keep you posted as things progress 🙂

    February 18, 2016 at 8:34 am #1076790
    Support Droid
    Keymaster

    This topic has not been active for quite some time and will now be closed.

    If you still need assistance please simply open a new topic (linking to this one if necessary)
    and one of the team will be only too happy to help.

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • The topic ‘File uploads’ is closed to new replies.