Problem

Very often during file validation we are check extension and size of file. We want to be sure that user will not be able to upload executable file(php, exe and other). On the other hand we treat files like xls, doc or pdf as safe.

However file doesn’t have to bee danger for our server, if this file can be unsafe for our customer we are screwed.

Details ?

Pdf, doc and xls can contain malicious code. For doc and xls we have macro code, for pdf we can find easy to use, tools to genereate pdf with embeded code inside.

Solution

OWASP describes on this page https://www.owasp.org/index.php/Protect_FileUpload_Against_Malicious_File how to validate files

Creating pdf with an exploit

1. System: Kali Linux
2. Tool: Metasploit

As you see, 6 commands is enough to generate simple pdf with an exploit. In this case, nothing special will happen. Pdf with open with an error and after that, malicious code will open system calc.

Of course system calc is not dangerous, but it’s just an example that it’s possible to run external applications.

End

I think that each time a file is being uploaded something more should be done during validation, not only extension and size checking.