Question Malicious file upload is possible in the application

An attacker can upload malicious executable files on the system by simply renaming .exe file to .jpeg and the kunena forum allows it to upload even if the mime type check is active and the .exe extension is added to not allowed list.

It should do proper checks on Content type as well. This is a high risk vulnerability!

I'm using version 5.0.14 and we cannot give it to client till it is fixed. Please help me to put this code manually. Images are attached below.

This is not a vulnerability as even if you upload the file, Windows will not allow it to be run, but sees it as a broken jpeg file. File content is almost impossible to detect properly, think about a bat file uploaded as a text file.

then how can we prevent this type of broken file in a simple php file upload or kunena jquery

Hello,

Why do-you want to prevent the upload if the file (in case of exe) can't be executed ?

We have kunena forum installed on our website nhp.org.in and the mime type check is active in the configuration (ref, attachments) but it is not working as it is possible to upload any exe file file by renaming it to jpeg/pdf or any allowed mime type (even malware file!)

As you can see in attachments I have enabled the mime type check but it still allows exe file to be uploaded when renamed.

If we view attachments page of the forum it clearly identifies the type as application/x-dosexec but still allows it to upload.

This is a security risk. Please help us fix this in our current version of Kenena
5.0.14 because for some reasons we are not able to update it. Your help will be highly appreciated.

PS. it even got uploaded here.

Regards,

xillibit wrote: Hello,

Why do-you want to prevent the upload if the file (in case of exe) can't be executed ?

Because our website has undergone security audit recently and the auditors are claiming that an attacker could use this functionality to upload malicious executable files on the system.

This is from their report:-

Vulnerability Title: Malicious (exe.) file upload is allowed in the application
Risk: High
Abstract: It was observed that the malicious file upload is possible in the application.
Ease of Exploitation: Easy
Impact: An attacker could use this functionality to upload malicious executable files on the system.
Recommendations:-
Following things should be implemented in file upload module:
1. Inspect the content of uploaded files, and enforce a white list of accepted, non-executable content types. Additionally, enforce a blacklist of common executable formats, to hinder hybrid file attacks.
2. Enforce a white list of accepted, non-executable file extensions.
3. If uploaded files are downloaded by users, supply an accurate non-generic Content-type header, and also a Content-disposition header which specifies that browsers should handle the file as an attachment.
4. Enforce a size limit on uploaded files (max 8-10 MB); this can be implemented both within application code and in the web server's configuration.
5. Reject attempts to upload archive formats such as ZIP.
6. Multiple file extension like test.pdf.txt.php.jif.jpg should not be allowed for upload.
7. Proper checks to be put on Content type and MIME type as well.

Affected URLs: throughout the application

And the client won't accept the website until it passes the security audit.

You do not must allow the file types such as the listed files. Also, you can limit the file size in the configuration.
We have now added a better file mime type check for the next release.
But I'm not understood this discussion. On the one hand your client wants a safe webpage, and on the other hand you should create a website for your client, with outdated software which contains several security risks?