File upload concerns: which formats?

[Manaus]

Hello,

a client of mine wants to allow file uploading of these extensions:

jpg, jpeg, gif, png, tiff, bmp, pdf, csv, txt, rtf,doc, docx, xls, xlsx, ppt, pptx, mpeg, mp4, avi, divx, wmv, rar, zip

Are there security risks with a specific format? Other indications? 

Thanks!

[netcarver]

@Manaus

To answer your question directly (but probably in-appropriately and very simplistically): any format that allows scripted actions ('pdf' with embedded JS, 'doc', 'docx', 'xls', 'xlsx', 'ppt', 'pptx' with macros) are more exploit-prone (in my view) than others. However, that does not mean that the others are exploit free. About a week ago there was an exploit announced for 'rtf' files and there have been multiple exploitable problems in rendering various image formats for years. Those file formats that require little to no interpretation to render (basically 'txt') are probably the safest - but even then, not guaranteed non-exploitable as even text files have to be displayed by something and that something might have a bug.

Exploitability of a file format is not as simple as just the internal format of the file either - it will depend on both the software being used by the viewers of the uploaded files and how security aware each of them are.

Software example: Some pdf viewers might have a rendering bug that allows a malicious pdf file to compromise a machine running that viewer - whilst another viewer of the same file might not be vulnerable to the same exploit.

 

Here's a user security awareness example: Some users turn off macro scripting in MS Office/Libre office (or JS scripting in their pdf viewer) whilst others keep it set to the default or even turn it on - and are therefore more vulnerable. Some Windows users create a non-privileged account and log in under that account - and will probably not suffer from many security issues because of this one action - but the vast majority of users will stick with the initial, privileged, user account created on their machine and are therefore at high risk.

To evaluate what file formats to accept on upload is going to require more input than just an answer to your initial question. Your client obviously thinks there is some value to allowing all those file types but you'll need to look at not only at how problematic the formats are that you want to allow but at the risks and probabilities of damage to the client's business of uploading a bad file in any particular format.

For example: If the client only allows uploads from its IT staff and only allows its janitorial staff to download the uploaded files then the risk to the business from a bad pdf file might be close to zero.

I can't really give you any advice on how to do that risk assessment other than to start asking 'what if' questions about the scenario the client is proposing to you.

'What damage would be done if a malicious, even a previously trusted, user uploaded an infected powerpoint for our Chief financial officer?'

'What damage would be if a malicious docx file could masquerade as a valid rtf file and be uploaded?'

'What if my clients don't have a clue how to secure their own user accounts?'

'What if my clients are going to trust uploaded files from any source?'

Etc, Etc.

HTH.

[Manaus]

Thanks for the detailed answer!