Remote Code Execution (RCE) via File Upload
General Requirements for Remote Code Execution Reports
Provide full demonstration of commands or code execution and its output when possible.
Demonstrate various commands (ping, nslookup, wget, dir, ls, etc.) if possible.
DNS/HTTP callbacks should try to include a system environment variable in the callback address to prove proper code execution.
Videos are highly recommended as hosts/targets may become unavailable.
Template Contents
Title:
Remote Code Execution at {URL or HOST IP} via File Upload
Description:
The application or host at {URL or HOST IP} was determined to be vulnerable to Remote Code Execution (RCE) via a file upload vulnerability. A {authenticated or unauthenticated} user is able to upload a file to execute arbitrary code on the underlying operating system. The following report will outline this attack.
Impact:
The following are some common impacts of this attack:
An attacker who is able to execute such a flaw is usually able to execute commands with the privileges of the application on the web server.
Remote Code Execution can lead to a full compromise of the vulnerable web application/host, thus affecting the confidentiality and integrity of the data stored.
Recommended Fix:
The following methods can be used to remediate this issue:
Limit file formats that users can upload.
Check the file extension against a whitelist of permitted extensions.
Do not upload files to the server's permanent filesystem until they have been fully validated by AntiVirus.
Never accept a filename and its extension directly without having a whitelist filter.
The uploaded directory should not have any "execute" permissions.
For addtional information see: Unrestricted File Upload|OWASP Foundation
Last updated