DerScanner
Home / Vulnerability Database / PHP : Unsafe file upload
PHP

PHP : Unsafe file upload

Classification

OWASP Top 10 2013
A1-Injection
OWASP Top 10 2017
A1-Injection
OWASP Top 10 2021
A3-Injection
OWASP ASVS
Files and ResourcesFiles and Resources
PCI DSS 4.0
6.2.4
CWE
CWE-1027

Overview

The application receives a file attached to a SOAP-message. This can be exploited to upload malicious data or code to the server.

If users can upload files to a publicly accessible directory, an attacker can use this for remote execution of malicious code on the server.

References

  1. OWASP Top 10 2017-A1-Injection
  2. OWASP Top 10 2013-A1-Injection
  3. CWE-434: Unrestricted Upload of File with Dangerous Type
  4. move_uploaded_file - php.net
  5. CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
LOW

DerScanner Severity Score

Do you want to fix PHP : Unsafe file upload in your application?

See also

PHP

PHP : Null salt

PHP

PHP : Empty password

PHP

PHP : Empty salt