If a website allows the user to upload files, it’s usually considered a vulnerability and the server has to do a bunch of checks.
Does it depend on what the server does with the file? If the user uploads a hacking script, but the server is configured to do absolutely nothing with what’s uploaded, how can that script ever run?
And how can a user know what the server is doing with the file? Yeah trial and error, but trial what, and aren’t there countless things to trial?
In: Technology
One big thing regardless of file contents is that you can potentially fill the servers disk, or if they’re using cloud storage, explode the storage bill. Both are very undesirable for the person running the server. Filling the disk can crash the server, and a huge cloud storage bill ruins profitability.
Beyond that, it also gives an attacker a potential avenue to load some tools in for them to use to advance an exploit. Many attacks are not just a full remote code execution, and layering multiple vulnerabilities in a row can be a way to gain access. Uploading files to use in those layers can be significant.
Latest Answers