Statistics show that file upload vulnerabilities are WordPress’s third most common vulnerability type. Hackers will often use file upload vulnerabilities to spread malware, gain access to web servers, perform attacks on visitors to a website, host illegal files and much more.
This guide will identify the risk factors of having unrestricted file uploads before explaining the most common types of file upload vulnerabilities. Finally, we’ll explain how to secure the WordPress file upload system.
What are the risk factors of unrestricted file uploads?
There are many risk factors associated with unsecured file upload systems including:
If a hacker successfully places an executable file on your server, they may use it to launch server-side attacks. For example, if they upload a web shell, they may use it to take control of certain parts of your web server. Exploiting file upload vulnerabilities also allows hackers to place trojan horses, viruses, and other malicious files on your website.
Triggering vulnerabilities in server applications or libraries
Uploading a malformed file or one which masquerades as a different file type might trigger a vulnerability in certain pieces of server software. One well-known attack exploited a vulnerability in the image processing software ImageMagick. Hackers discovered they could execute arbitrary code by hiding it inside image files that would be processed by ImageMagick. This would potentially allow the hacker to take control of the server.
Hackers may also upload files to trigger vulnerabilities in real-time monitoring software. There was a recent vulnerability in Symantec antivirus software that could be triggered by uploading a RAR file. Triggering this vulnerability could result in memory corruption on the server, potentially crashing certain programs or the server itself. Hackers could also use this file upload exploit to crash the real-time security monitoring, then perform another kind of attack.
Uploading certain types of malicious files can make a WordPress website vulnerable to client-side attacks like cross-site content hijacking and XSS attacks. Hackers might also be interested in uploading files that trigger vulnerabilities in the libraries or applications used by end-user devices. For example, there was a vulnerability in iPhones which caused a buffer overflow in LibTIFF.
Causing an administrator or webmaster to execute code
Malicious files including Windows viruses, Unix shell scripts and Excel files may be uploaded if there are unrestricted file uploads. A server administrator or webmaster might discover these files, then open them to determine what they are — executing the code and allowing malware onto your server.
Hackers might be able to deface the website
If your website publishes user-uploaded content, allowing unrestricted file uploads may result in your website being defaced or used for a phishing attack.
The website’s file storage system may be abused
Hackers often target unsecured file upload systems to store troublesome files. These files might include illegal software downloads, pornographic material, stolen intellectual property, malware, or data used by criminal organisations.
Hackers can learn more about the server
An incorrectly secured file upload form may display error messages that give hackers information about the server’s configuration. This information might include file paths or folder permissions.
Causing denial of service attacks
Unsecured file upload forms may allow hackers to upload extremely large files or hundreds of files at once — performing a denial of service attack.
Types of file upload vulnerabilities
The most common types of file upload vulnerabilities include:
Unrestricted file upload with the dangerous type
This vulnerability occurs in systems where any type of file can be uploaded to the server. It also occurs when the file type is not adequately verified by the server. This vulnerability could allow cybercriminals to upload any kind of executable file to the server.
In some cases, website owners might check the file extension of an uploaded file, but fail to verify that it matches the contents of the file which has been uploaded. This allows executable code to be hidden within files with different extensions.
To avoid this vulnerability, the application must thoroughly check the files that are being uploaded and remove file types that can cause damage to the server. The application should not rely solely on Content-Type HTTP header information when checking file types, but instead, use more detailed file checking processes.
Arbitrary file uploads
This vulnerability is created when a user is allowed to upload a file without being authenticated by the application. The ability to upload should be restricted to authenticated users to prevent malicious individuals from uploading random files to your server. Allowing arbitrary file uploads also puts your site at greater risk of a denial of service attack.
Uncontrolled resource consumption
Applications should place restrictions on the size of files that can be uploaded and the number of files that can be uploaded. Failure to do so can allow users to upload very large files or thousands of small files simultaneously, performing a DOS attack.
Files containing malware
If a website is parsing or inserting data from within an uploaded file, it may be vulnerable to files containing malware. This type of attack often uses SQL injection attacks or attempts to get the system to run another arbitrary piece of code.
Protecting your WordPress website against file upload vulnerabilities
Here are some simple steps you can take to protect your website against file upload vulnerabilities.
Only allow specific file extensions
By default, WordPress allows registered users to upload many types of files. This includes various types of image, audio, video, and document files. You can reduce the types of files that users can upload by installing a plugin like WP Upload Restriction.
Use a WordPress form plugin that is secure
If you intend to accept file uploads on your WordPress website, choose a well-known file upload plugin that has excellent security. At a minimum, the plugin should safeguard your form against common form attacks like Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) attacks.
Webmasters can also install a WordPress plugin that has real filetype detection, MIME analysis mapping, SVG sanitisation and a file upload debugger. Such plugin makes it easier to validate files and to create a whitelist of accepted MIME file types.
Reduce max file upload size
Preventing users from uploading large files will reduce the risk of your file upload system being used for a DoS attack. There are multiple ways to alter maximum file upload size. The technique that works for you will vary based on your server configuration and permissions.
If you have complete control over your server environment, you can alter the php.ini file to change the allowed size of file uploads. Open your web server’s php.ini file and alter the upload_max_filesize and post_max_size directives. Once they have been updated, restart your HTTP server.
The snippet below will change the maximum upload size to 4 megabytes. You might also like to include alter the max_execution_time directive, which rejects an upload if it has taken too long to process. Some web servers will also allow you to create a php.ini file in your website’s home directory.
upload_max_filesize = 4M post_max_size = 4M max_execution_time = 120
Adding php upload values to your .htaccess
Some web servers will also allow you to adjust PHP file upload settings via the .htaccess file in your WordPress installation’s root directory. Add the following to change upload sizes and max execution/input times:
php_value upload_max_filesize 4M php_value post_max_size 4M php_value max_execution_time 120 php_value max_input_time 120
Only allow authorised users to upload files
By default, WordPress doesn’t allow public users to upload files. However, many WordPress administrators install plugins that contain file upload fields. This is a potential vulnerability because you are relying on the developer of that plugin to handle this content safely. Your website will be safer by only allowing certain types of registered users to upload files.
If you need a form with an upload field to only be displayed to certain users, use a plugin similar to Restrict Content. It will allow you to restrict pages and portions of pages to certain types of users.
Add file execution restrictions using .htaccess
You can create a .htaccess file that restricts the types of files that can be executed from the uploads directory. For example, the following .htaccess will only allow gif, jpeg, jpg, and png files to be executed:
deny from all order deny,allow allow from all
This .htaccess must not be placed into the wp-content/uploads directory, because hackers could potentially overwrite it by uploading another file called .htaccess. Place it in the directory above the uploads wp-content/uploads folder.
Place your uploads folder outside of the server root
Creating a new folder for storing uploads can also help to improve file security. This folder should be created outside of your website’s public directory so hackers cannot manually execute the files they have uploaded via a website URL. Read this short guide to learn how.
Randomise uploaded file names
Once hackers have managed to upload an executable file to your server, they may attempt to execute it using a web browser or command line. One simple trick from preventing hackers running their file is to randomly rename it. You can read this short guide to learn how to randomise uploaded file names in WordPress.
Don’t give information away
If a user uploads a file that triggers an error, make sure WordPress and PHP only display a very simple error message. Avoid displaying sensitive information like file paths, WordPress installation details, or server configuration information. This information could be exploited by a hacker. Hackers will use many different techniques to obtain error messages from your website including uploading files that are the wrong format, too large, or which have a very long filename.
Add a CAPTCHA to your forms
Adding WordPress CAPTCHA plugin to your site prevents cybercriminals from using your forms for DoS attacks.
Force uploads to be delivered in the correct file format
One of the biggest problems with handling uploads in is that hackers can hide executable code within image file formats. You can overcome this issue by forcing the web server to send the correct image headers before you display an image on your website. For example, the following will force the image to be displayed as a png, ignoring any executable code:
$data = file_get_contents(‘/home/potentially-dangerous-file.png’); header('Content-Type: image/png'); header('Content-Length: '. strlen($data)); header('X-Content-Type-Options: nosniff'); echo $data;
You can also process uploaded images using image manipulation software like GD. By opening the image and re-saving it, you will remove any executable content.
Use a virus scanner on your server
Server-side virus scanners can detect file uploads that contain malware, trojans and viruses. The most common application for this task is ClamAV, an open source antivirus engine. Make sure it is configured to automatically scan uploads that are added to your web server.