Unrestricted File Upload

Letting users upload arbitrary files into a web-served directory lets attackers plant executable webshells.

Definition

Unrestricted file upload is the vulnerability that arises when an application accepts user-uploaded files without validating the type, content, or storage location. The classic disaster is an "upload profile picture" feature that writes the uploaded file to a directory served by the web server — and accepts `shell.php` (or `shell.jsp`, `shell.aspx`) as a valid filename. The attacker fetches `/uploads/shell.php` and the web server happily executes the embedded code.

The bug class is closely tied to webshell attacks; it is the typical first stage of a server compromise after a low-skill recon scan. ProxyShell (Exchange) and several Confluence chains turned an upload bug into reliable RCE at internet scale.

How it works

The upload handler trusts the filename or extension submitted by the client. If the directory is web-served and the language runtime is configured to execute files matching the uploaded extension, the file is now executable. Content-type sniffing (where the browser ignores `Content-Type` and guesses from content) creates a parallel attack against HTML-as-uploaded-file.

Impact

Remote code execution, persistence, lateral movement.

Mitigation

Validate the file type on the server, against an allowlist of expected MIME types and magic bytes. Rename uploads to a server-chosen identifier — never trust the user-supplied name. Store uploads outside the web root and serve them through a dedicated handler that sets `Content-Disposition: attachment`. Disable script execution in the upload directory (`AllowOverride None`, `SetHandler default-handler`). Scan uploads for embedded scripts in defence-in-depth deployments.

Examples

  • CVE-2021-22005 — VMware vCenter file-upload RCE.
  • CVE-2021-34473 — ProxyShell; one stage of the chain is an arbitrary file write.

See also

References