Tags:
create new tag
view all tags

SID-02460: How can we prevent upload of dangerous file types?

Status: Answered Answered TWiki version: 6.0.0 Perl version: 5.16.3
Category: CategorySecurity Server OS: RedHat Linux 7.4 Last update: 5 years ago

A manual PEN test of one of our sites flagged that the attachment upload functionality "allows an attacker to upload malicious html files and exe files". Is there currently a way to configure checking of file types and excluding undesirable ones?

If there is no such feature currently, do any known plugins provide this or would it be easy to patch this? Any pointers?

-- TWiki Guest - 2020-12-03

Discussion and Answer

See {UploadFilter} configure setting. Matched filenames are renamed on upload to have a .txt extension appended to it, such as evil.php to evil.php.txt

-- Peter Thoeny - 2020-12-04

      Change status to:
ALERT! If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.
SupportForm
Status Answered
Title How can we prevent upload of dangerous file types?
SupportCategory CategorySecurity
TWiki version 6.0.0
Server OS RedHat Linux 7.4
Web server Apache httpd 2.4.6
Perl version 5.16.3
Browser & version Firefix 83.0
Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2020-12-06 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.