DerScanner
Home / Vulnerability Database / Python : Unsafe file upload
Python

Python : Unsafe file upload

Classification

OWASP Top 10 2013
A1-Injection
OWASP Top 10 2017
A1-Injection
OWASP Top 10 2021
A3-Injection
OWASP ASVS
Files and ResourcesFiles and Resources
PCI DSS 4.0
6.2.4
CWE
CWE-1027

Overview

If users can upload files to publicly accessible directories, an attacker can use it for remote execution of malicious code on the server.

MEDIA_ROOT specifies the absolute filesystem path to the directory that will hold files uploaded by user. STATIC_ROOT specifies the absolute path to the directory where collectstatic will collect static files for deployment. MEDIA_ROOT and STATIC_ROOT must have different values.

MEDIA_URL stores the URL used to manage the stored files. MEDIA_URL and STATIC_URL must also have different values.

References

  1. OWASP Top 10 2017-A1-Injection
  2. OWASP Top 10 2013-A1-Injection
  3. CWE-434: Unrestricted Upload of File with Dangerous Type
  4. Same value for MEDIA_URL and STATIC_URL
  5. MEDIA_ROOT
  6. CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
LOW

DerScanner Severity Score

Do you want to fix Python : Unsafe file upload in your application?

See also

Python

Python : Debug mode on

Python

Python : Web3: Deprecated method

Python

Python : Unsafe padding