CWE-434βUnrestricted Upload of File with Dangerous Type
PUBLISHEDweakness recordMedium
released 2006-07-19 Β· last modified 2026-04-30
Metadata
- CWE ID:
- CWE-434
- Abstraction:
- Base
- Structure:
- Simple
- Status:
- Draft
- Release Date:
- 2006-07-19
- Latest Modification Date:
- 2026-04-30
Weakness Name
Unrestricted Upload of File with Dangerous Type
Description
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Common Consequences
- Scope:
- Integrity, Confidentiality, Availability
- Impact:
- Execute Unauthorized Code or Commands
- Notes:
- Arbitrary code execution is possible if an uploaded file is interpreted and executed as code by the recipient. This is especially true for web-server extensions such as .asp and .php because these file types are often treated as automatically executable, even when file system permissions do not specify execution. For example, in Unix environments, programs typically cannot run unless the execute bit is set, but PHP programs may be executed by the web server without directly invoking them on the operating system.