Let’s go from the most basic to more advanced.

In the simplest form the website accepts the file as-is and then saves it to /uploads/yourfilename.ext . If we can get the server to execute this file, you can run it and possibly extract login info to the server itself, extract all of the files on the server, or extract the entire database. If you can’t then what you could do is upload a javascript file which will run on their own domain. Using this you could make a script to send out website credentials and run commands on behalf of logged in users as long as it could be included in the page.

​

Now lets add some security features which also open us up to other attacks.

​

We now scan the file to verify it is what it says it is. That scanner could have security problems which allow for the same thing to happen as above but we’re guaranteed the server is running code against the file so we could potentially have an RCE (remote code execution) attack.

​

Even if we **correctly** determine the file is legit like say an image with the WebP format, the code that parses that file could **still** be vulnerable to exploits as was shown a few months ago: [https://blog.cloudflare.com/uncovering-the-hidden-webp-vulnerability-cve-2023-4863/](https://blog.cloudflare.com/uncovering-the-hidden-webp-vulnerability-cve-2023-4863/)

​

Uploading files is risky and scanning them is risky. A “secure” upload would save the file outside of where the user can just access it, rename the file, run it on a different server, run it under an account with read-only access, scan it with yet another server with as little access as possible, make it available on a domain that isn’t the same as the primary host.