IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [file-upload]

File upload means sending a file from a local system to a remote system such as a server or another client with the intent that the remote system should store a copy of the file being transferred.

300 questions
10
votes
1 answer

How can I spoof the Mimetype of a file upload?

There are posts that says php mimetype isn't secure, or can be bypassed. How do people spoof the mimetype?
h00j
  • 766
  • 1
  • 7
  • 18
8
votes
2 answers

What does it mean to have a "file name with NULL bytes in serialized instances"?

I was browsing this page, which redirected me to this vulnerability because I'm a Java developer and I'm aware of the affected library. Basically the vulnerability says: It was discovered that Apache Commons FileUpload incorrectly handled file…
Muhammad Gelbana
  • 191
  • 1
  • 1
  • 5
4
votes
5 answers

Secure File Sharing with China

I am looking for a convenient, and particularly a secure way to share files with business contacts in China. My priorities, in this order, are Secure, non-hackable. Accessible. I know many sites (YouTube, notably) are not universally accessible…
stranger
  • 143
  • 4
3
votes
2 answers

Security concerns with uploading an image

We have to implement a user profile image upload feature in our web application. The user can upload his profile image. After uploading the image, it will be saved to a DB2 DB, and it will be rendered only to the user who uploaded the image after…
Jimmy
  • 31
  • 1
  • 2
3
votes
1 answer

"Public facing" dropbox folder uploads to admins machine. Potential security issues?

We've got a client who uses Wufoo for their website's forms. One of their forms contains a file upload feature, this is set in Wufoo to place the uploaded file into a Dropbox folder. This Dropbox folder is syncs to a office clerks computer, so any…
sam
  • 556
  • 4
  • 14
2
votes
2 answers

So I need to unzip and process user submitted zip files - how to do so securely?

I am writing a system that accepts zipfiles from end users. The title says it all - what precautions should I take to ensure my processing server does not get compromised when I need to unzip a completely random set of user files from a zipfile and…
Duke Dougal
  • 229
  • 1
  • 4
2
votes
1 answer

Can an inaccessible uploaded PDF harm a server?

Is it possible for an uploaded PDF file to harm an Apache server, if the filepath can't be found? That is, the PDF file can't be viewed from the browser or accessed by a known path once uploaded. I have a feature within a Drupal site that allows…
keva
  • 123
  • 2
2
votes
1 answer

CVE-2017-15580: Getting code execution with upload

I'm testing a target with osTicket 1.7 for CVE-2017-15580. Instead of getting a shell, I'm trying to get the target to make an HTTP request to a temporary end-point. My temporary end-point is https://test.free.beeceptor.com and the command to be…
ChocolateOverflow
  • 3,482
  • 4
  • 18
  • 35
1
vote
1 answer

Uploading Disabled for executable file during change of Extension

As we know, uploading of executable file is not safe. But if we change extension of file exe to txt, then file get uploaded. How to prevent this??
Ayush3g
  • 155
  • 1
  • 1
  • 6
1
vote
2 answers

File Upload - scan in-memory or after saving

The web-application I'm working on will allow users to upload files (Word / PDF etc.). I intend to run a clamav scan on the files after upload before anything further is done with them. From a security perspective is there any diference or…
Kris C
  • 113
  • 5
1
vote
2 answers

Find path of file on website with randomized string in it

Users have the possibility to upload a sensitive personal file to a specific website. After uploading, only the user himself and the administrator of the website have the ability to download the file again. All files of any user are uploaded to the…
O'Niel
  • 2,914
  • 3
  • 20
  • 31
1
vote
1 answer

What is the point of hashes when downloading over the same channel?

What is the point of providing shaXXX hashes for downloads of software over say TLS when any attacker that could change the download could have easily changed the hash? Isn't there enough information in the download to know that it is corrupt? Just…
Bleeding Obvious
  • 11
  • 1
1
vote
1 answer

How to secure upload from desktop client to web application?

Let's say we have a desktop application and a web application. The desktop application uploads files to the server using POST requests to the web application. What are the possibilities (except using certificates and username/password) to find out…
bretik
  • 1,870
  • 1
  • 13
  • 22
1
vote
3 answers

What is simplest way to transfer files (company computer security is excessive)?

I work indirectly for a Japanese government as an English assistant. They block all known internet email, file stores like dropbox, and have recently stopped the use of USB flash drives. I used to use microSD but several schools don't have the…
user2617804
  • 149
  • 1
  • 1
  • 6
1
vote
2 answers

Are there file downloading programs that calculate checksums during the download process?

Calculating checksums for large files, ie tens to hundreds of gigabytes is a lengthy process. Are there file downloading programs that calculate checksums during the download process? I think some web servers have the ability to include checksum…
vfclists
  • 115
  • 4
1
2