logo

CWE-434 - Unrestricted Upload of File with Dangerous Type

CWE-434 Medium

  • Abstraction:
  • Base
  • Structure:
  • Simple
  • Status:
  • Draft
Weakness Name

Unrestricted Upload of File with Dangerous Type

Description

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Common Consequences

Scope: Integrity, Confidentiality, Availability

Impact: Execute Unauthorized Code or Commands

Notes: Arbitrary code execution is possible if an uploaded file is interpreted and executed as code by the recipient. This is especially true for web-server extensions such as .asp and .php because these file types are often treated as automatically executable, even when file system permissions do not specify execution. For example, in Unix environments, programs typically cannot run unless the execute bit is set, but PHP programs may be executed by the web server without directly invoking them on the operating system.

Related Weaknesses

CWE-669Incorrect Resource Transfer Between Spheres

CWE-351Insufficient Type Distinction

CWE-430Deployment of Wrong Handler

CWE-436Interpretation Conflict

  • Release Date:
  • 2006-07-19
  • Latest Modification Date:
  • 2024-07-16

Free security scan for your website