Statements (40)
| Predicate | Object |
|---|---|
| gptkbp:instanceOf |
gptkb:Common_Weakness_Enumeration
|
| gptkbp:affectedResource |
Web applications
File upload components |
| gptkbp:category |
Software Weakness
|
| gptkbp:child |
CWE-434.1
CWE-434.2 |
| gptkbp:consequence |
gptkb:Denial_of_Service
Privilege escalation Remote Code Execution System Compromise Data Loss Bypass of security controls Execution of arbitrary code |
| gptkbp:describes |
The software allows the uploading of files with dangerous types that can be automatically processed within the product's environment.
|
| gptkbp:example |
Uploading a PHP file to a web server that executes it
Uploading a .exe file to a Windows server |
| gptkbp:hasCWE |
434
|
| https://www.w3.org/2000/01/rdf-schema#label |
CWE-434
|
| gptkbp:introduced |
Improper input validation
Lack of file type checking |
| gptkbp:likelihoodOfExploit |
High
|
| gptkbp:mitigatedBy |
Store uploaded files outside web root
Rename uploaded files Restrict file types Validate file type and content before upload |
| gptkbp:name |
Unrestricted Upload of File with Dangerous Type
|
| gptkbp:parent |
gptkb:CWE-434
|
| gptkbp:relatedTo |
gptkb:CWE-78
gptkb:CWE-94 gptkb:CWE-22 OWASP Top 10 A8:2017-Insecure Deserialization |
| gptkbp:seeAlso |
https://cwe.mitre.org/data/definitions/434.html
|
| gptkbp:status |
Draft
|
| gptkbp:taxonomyMapping |
OWASP ASVS 4.0 V16.5
OWASP Top Ten 2017 A8 OWASP Top Ten 2021 A8 PCI DSS v3.2.1 6.5.10 |
| gptkbp:weakness |
gptkb:Base
|
| gptkbp:bfsParent |
gptkb:CWE
|
| gptkbp:bfsLayer |
7
|