CWE-434 - Unrestricted Upload of File with Dangerous Type
CWE-434 Medium
- Abstraction:
- Base
- Structure:
- Simple
- Status:
- Draft
- Weakness Name
Unrestricted Upload of File with Dangerous Type
- Description
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
- Common Consequences
Scope: Integrity, Confidentiality, Availability
Impact: Execute Unauthorized Code or Commands
Notes: Arbitrary code execution is possible if an uploaded file is interpreted and executed as code by the recipient. This is especially true for web-server extensions such as .asp and .php because these file types are often treated as automatically executable, even when file system permissions do not specify execution. For example, in Unix environments, programs typically cannot run unless the execute bit is set, but PHP programs may be executed by the web server without directly invoking them on the operating system.
- Related Weaknesses
- Release Date:
- 2006-07-19
- Latest Modification Date:
- 2024-07-16
Free security scan for your website