{"_id":"55dc847500a8811900c23130","category":{"_id":"57d9b8fbda17c30e003897f1","project":"55db8f8f1a91690d007ad975","version":"55db8f901a91690d007ad978","__v":0,"sync":{"url":"","isSync":false},"reference":false,"createdAt":"2016-09-14T20:54:19.794Z","from_sync":false,"order":4,"slug":"code-protection","title":"Code Protection"},"githubsync":"","user":"55dc702d7fa0290d00559106","version":{"_id":"55db8f901a91690d007ad978","project":"55db8f8f1a91690d007ad975","__v":17,"createdAt":"2015-08-24T21:41:36.034Z","releaseDate":"2015-08-24T21:41:36.034Z","categories":["55db8f901a91690d007ad979","55db9856b3d6540d00886426","55dc751b00a8811900c230e3","55dc766255be9f21004ee250","55dc769200a8811900c230ed","55e4c701177b6e0d003330fa","55f4915caf0bc71900a53130","55f491b2be9c2b2100f0635d","560b22739c7be70d00100bd8","57488c53e8c6a420000b729c","574cefd95953e20e00f40f9f","5798edfd7700d30e00ad250c","579ac88234b5fd0e00b9e140","57c81c6d690c200e0047b72e","57d9b8fbda17c30e003897f1","57d9b90e608ea00e00f358d8","57d9b91cda17c30e003897f4"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"__v":3,"parentDoc":null,"project":"55db8f8f1a91690d007ad975","updates":[],"next":{"pages":[],"description":""},"createdAt":"2015-08-25T15:06:29.706Z","link_external":false,"link_url":"","sync_unique":"","hidden":false,"api":{"settings":"","results":{"codes":[]},"auth":"required","params":[],"url":""},"isReference":false,"order":5,"body":"Restricting access to only those files permitted for a user is a critical part of a Web server’s responsibility. Sometimes, either by a bug in the server, or in the application code caused by a programming error, the Web server does not properly restrict access to files on the system, permitting attackers to download files they would not normally have access to.\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Mitigation\"\n}\n[/block]\nIf an attacker exploits a flaw in the Web server, Immunio will block access to unauthorized files at the system level preventing the attack from succeeding.\n\nAttackers will upload files which may be interpreted, or executed, by the Web server when later displayed giving the attacker access to restricted areas of the server. By restricting file types during uploads potentially harmful files are forbidden. \n\nIn addition to ensuring only the proper files are read by users, IMMUNIO will prevent files with the following extensions from being uploaded. \n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"\\\"rb\\\"\\n\\\"py\\\"\\n\\\"php\\\"\\n\\\"php3\\\"\\n\\\"php4\\\"\\n\\\"php5\\\"\\n\\\"asp\\\"\\n\\\"aspx\\\"\\n\\\"jsp\\\"\\n\\\"exe\\\"\\n\\\"com\\\"\\n\\\"bat\\\"\\n\\\"sh\\\"\\n\\\"jar\\\"\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\nIMMUNIO will detect attempts to read files unintended for the public, and if configured to do so will alert with the details on the dashboard, and block the request before the file is read, or written to.​","excerpt":"","slug":"unauthorized-file-access","type":"basic","title":"Unauthorized File Access"}

Unauthorized File Access


Restricting access to only those files permitted for a user is a critical part of a Web server’s responsibility. Sometimes, either by a bug in the server, or in the application code caused by a programming error, the Web server does not properly restrict access to files on the system, permitting attackers to download files they would not normally have access to. [block:api-header] { "type": "basic", "title": "Mitigation" } [/block] If an attacker exploits a flaw in the Web server, Immunio will block access to unauthorized files at the system level preventing the attack from succeeding. Attackers will upload files which may be interpreted, or executed, by the Web server when later displayed giving the attacker access to restricted areas of the server. By restricting file types during uploads potentially harmful files are forbidden. In addition to ensuring only the proper files are read by users, IMMUNIO will prevent files with the following extensions from being uploaded. [block:code] { "codes": [ { "code": "\"rb\"\n\"py\"\n\"php\"\n\"php3\"\n\"php4\"\n\"php5\"\n\"asp\"\n\"aspx\"\n\"jsp\"\n\"exe\"\n\"com\"\n\"bat\"\n\"sh\"\n\"jar\"", "language": "text" } ] } [/block] IMMUNIO will detect attempts to read files unintended for the public, and if configured to do so will alert with the details on the dashboard, and block the request before the file is read, or written to.​