Malicious file execution ranks at #3 on OWASP's top 10 list.
What is Malicious File Execution?
Malicious file execution is a server-side web application vulnerability. It occurs when hostile input is processed by the server. This input may include file stream functions or external object references, which can lead to remote code execution and even complete system compromise.
Who is vulnerable?
Any web application that takes user input is potentially vulnerable. This hack is most prevalent in PHP when SMB file wrappers are used.
How can I prevent it?
The best way to prevent this attack is through proper input validation (as usual). It is also good practice to NEVER use user-supplied input as any part of a file name for a server resource. Also be sure that the server is behind a firewall.
Resources
Saturday, March 28, 2009
Subscribe to:
Comments (Atom)