Potentially dangerous file

By
Nash N Sulthan
Published on
24 Jun 2018
1 min read
Vulnerability

A potentially dangerous file is a file that runs malicious code to harm the server or the client. There are servers that allow any file types to be uploaded to the server. This allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.

The following are the possible vulnerabilities the application may face due to a potentially dangerous file:-

  • Remote inclusion: This attack involves adding malicious files to the server remotely.
  • Linux local file disclosure: Linux local files disclosure involves an attacker having access to all files on a server running on Linux.
  • BSD local file disclosure: An attacker has the access to the server running on BSD OS.
  • Unix local file disclosure: UNIX local file inclusion is an attack that allows the attacker to access files on a server running on an OS based on UNIX.
  • Windows local file disclosure: This attack allows an attacker the access to all files in the server. This vulnerability affects servers running on Windows.
  • File disclosure attack using the include_path: The attacker can use the include_path present in the PHP to access all the files in the server.

Impact

Using this vulnerability, an attacker can:-

  • perform code execution on the server.
  • execute code execution using javascript on the client side server. This attack can lead to attacks like Cross-site scripting (XSS) etc.
  • perform Denial of Service.
  • leak sensitive information from the application.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Make sure to allow specific file extensions.
  • Allow authorised and authenticated users to use the feature.
  • Make sure that the uploaded file is actually an image or whatever file type you expect from the server.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.