If a website allows the user to upload files, it’s usually considered a vulnerability and the server has to do a bunch of checks.
Does it depend on what the server does with the file? If the user uploads a hacking script, but the server is configured to do absolutely nothing with what’s uploaded, how can that script ever run?
And how can a user know what the server is doing with the file? Yeah trial and error, but trial what, and aren’t there countless things to trial?
In: Technology
Your body doesn’t know what to do with a virus, yet it still infects you. Iffy analogy, but the idea works. Malicious files don’t always need to be run by the host to cause problems. They can exploit vulnerabilities that allow them to operate “on their own”, gathering data, infecting connected systems, etc.
>And how can a user know what the server is doing with the file?
If you know what systems/software the server is running, and you know that there is a vulnerability in one of those systems, you can target that vulnerability with your malware to get some sort of access or do some sort of damage.
Latest Answers