Vulnerability: Lack of File Upload Extension Control in DevTest Portal 10.6

book

Article ID: 221515

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

 
 
 
 

File upload not validating extension

We have recently purchased/installed DevTest 10.6 and our security team has shared the below findings:

Many applications use the file upload features to load various data and allow editing. However, only the allowed file types during the application process should be allowed for loading. The application's needs, when determining the file types to allow, should be observed. Otherwise, attackers can upload a different file type to defacement, command execution, it can perform attacks such as roaming system files, exploiting local vulnerabilities.

 
For example, when uploading RR files, we should be using .zip files.
However, we found that the extension can be modified and files with any extension can be uploaded.
This is an example where we sent a post request with the uploaded file extension being .HTML.
 
 
Expectation: file extension and content validation



Environment

Release : 10.6

Component : CA Service Virtualization

Resolution

This is resolved with the following patch: phoenix-10.6.0-DE505984.war

If you need a copy of the patch, please open a support case and let Support know you are referencing the fix in DE505984.

Note: This fix will be included in DevTest 10.7.

 

How to apply the patch

The steps need to be followed on PORTAL server

1. Stop PORTAL service

2. Place the patch file "phoenix-10.6.0-DE505984.war" at LISA_HOME\\webserver\\patches folder

3. Edit the file LISA_HOME/logging.properties

4. Add the following line

     log4j.logger.com.ca.sv.ui.service.RRPairUploadService=DEBUG

5. Start the PORTAL service

6. Repeat the test and verify if the fix addresses the reported vulnerability