Jump to content

Allowed file type work around? Security risk?


Recommended Posts

This appears to be an exploit that allows a user to upload zip files to a post despite zip files not allowed. I found one on my site. Making the extension as myfile.zip.jpg If you change the extension back to .zip and extract it contains 2 webp files and an mp4 file. Also file types I don’t allow.

I've tried to recreate this but usually I get the message 'There was a problem uploading the file' when uploading a zip disguised as a jpg, which is how it should work.

However using his original zip I managed to add an exe file and upload it without problems...

It could be to do with webm files, I managed to create a 94mb zip file full of webm files and upload it by changing the extension..

Link to comment
Share on other sites

When you are restricting based on file type alone, then yes it's fairly easy to simply rename a file to something else. We don't actually inspect the file headers to try to validate the file type (that isn't realistic without knowing the intimate structure of every single type of file out there).

Has this actually caused any problems or harm?

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...