SECURITY ALERT!
There has been an increase in the past few days of sites being hacked via file upload scripts, particularly a number of high profile ColdFusion based sites.
The hacker gets in by uploading a CFM, ASP, PHP or other supported file type to the server and executing the file, thus escalating his access.
If you have any publicly accessible areas of your site where files can be uploaded then you should make sure you are not vulnerable, make sure that you are validating allowed uploaded file types and not allowing executable files to be uploaded.
In particular you should pay attention to things like image uploads on forums or other applications which people seem to think are safe because it only allows images to be upload. Many scripts will actually accept the uploaded file to the final destination folder before validating it and then deleting it if it is not valid, thus giving a window of opportunity for the file to be executed.
What happens is that the hacker uses a load testing tool that constantly executes the URL on your site where he knows his file will be uploaded (e.g. mysite.com/files/xyz.cfm), this is done many times a second, so when he then uploads the file it will get executed in those few milliseconds before it is deleted.
To avoid this scenario you should perform checks prior to accepting the upload, or upload the file to a temp location first that the hacker cannot access and then move it to the destination folder once it has been verified.
Recent Comments