File Upload, XSS, CWE-79, CAPEC-86, Cross Site Scripting, DORK, Unforgivable Vulnerabilities

Report generated by Hoyt LLC at Wed Sep 22 21:57:40 EDT 2010.

The DORK Report

Summary

Severity:	Information
Confidence:	Certain
Host:	https://oss.hoyt.net
Path:	/Configurations/AutoScriptCopy.aspx

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

https://oss.hoyt.net/Configurations/AutoScriptCopy.aspx

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Issue background

File upload functionality is commonly associated with a number of vulnerabilities, including:

File path traversal
Persistent cross-site scripting
Placing of other client-executable code into the domain
Transmission of viruses and other malware
Denial of service

You should review the file upload functionality to understand its purpose, and establish whether uploaded content is ever returned to other application users, either through their normal usage of the application or by being fed a specific link by an attacker.

Some factors to consider when evaluating the security impact of this functionality include:

Whether uploaded content can subsequently be downloaded via a URL within the application.
What Content-type and Content-disposition headers the application returns when the file's content is downloaded.
Whether it is possible to place executable HTML/JavaScript into the file, which executes when the file's contents are viewed.
Whether the application performs any filtering on the file extension or MIME type of the uploaded file.
Whether it is possible to construct a hybrid file containing both executable and non-executable content, to bypass any content filters - for example, a file containing both a GIF image and a Java archive (known as a GIFAR file).
What location is used to store uploaded content, and whether it is possible to supply a crafted filename to escape from this location.
Whether archive formats such as ZIP are unpacked by the application.
How the application handles attempts to upload very large files, or decompression bomb files.

Issue remediation

File upload functionality is not straightforward to implement securely. Some recommendations to consider in the design of this functionality include:

Use a server-generated filename if storing uploaded files on disk.
Inspect the content of uploaded files, and enforce a whitelist of accepted, non-executable content types. Additionally, enforce a blacklist of common executable formats, to hinder hybrid file attacks.
Enforce a whitelist of accepted, non-executable file extensions.
If uploaded files are downloaded by users, supply an accurate non-generic Content-type header, and also a Content-disposition header which specifies that browsers should handle the file as an attachment.
Enforce a size limit on uploaded files (for defense-in-depth, this can be implemented both within application code and in the web server's configuration.
Reject attempts to upload archive formats such as ZIP.

Request

GET /Configurations/AutoScriptCopy.aspx HTTP/1.1
Host: oss.hoyt.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: https://oss.hoyt.net/IconsMain.aspx?IconsHead=MyServer
Cookie: AdminName=03B090AD5F97C70D4DC47E1F79D0478B14D58B7E02C9D5E2CAF5156188725F913C0DEC85C1F90A3AE0F60B578414178E9C8ECC17D03B469D941E54A8504A3B7FE1AC4FACC8ACCC3B0D9AD9A5DBD43DE9; SkinName=Blue; DateFormat=dd/mm/yy; ThemeName=VogueTree; Language=English; ASP.NET_SessionId=wb3whmyqzmyp2gzuei32poui; Dateformat=dd/mm/yy; ShowQuickHelp=1;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Date: Thu, 23 Sep 2010 01:48:21 GMT
Connection: close
Content-Length: 12278

<div id="general" style="VISIBILITY:visible; FONT:10px bold"><input onclick="__doPostBack('btnSaveSettings','')" name="btnSaveSettings" type="button" id="btnSaveSettings" value="Button" /><input onc
...[SNIP]...
<td height="20" class="FieldBgColor">
<input name="ZipFile" type="file" id="ZipFile" size="30" />
</td>
...[SNIP]...

Report generated by Hoyt LLC at Wed Sep 22 21:57:40 EDT 2010.