OutSystems Multiple File Upload Component Unrestricted File Upload Vulnerability

A vulnerability allowing unrestricted file upload has been identified in the Multiple File Upload add-on for OutSystems, specifically in version 3.1.0 and prior. This issue arises because file extension and size validations are performed only on the client side. As a result, an attacker can intercept the upload request, modify the supportedExtensions parameter to bypass extension restrictions, and upload arbitrary files to the server. Additionally, the lack of proper server-side validation for file sizes could lead to denial-of-service conditions by allowing the upload of excessively large files.

Impact

Exploitation of this vulnerability could result in the upload of malicious files, such as web shells or executable scripts, to the server. The server could also experience resource exhaustion or denial-of-service conditions due to the upload of large files designed to deplete server resources.

Reproduction

To reproduce this vulnerability, intercept a file upload request using a proxy tool like Burp Suite. Modify the supportedExtensions parameter to include file types that are normally restricted. After bypassing the extension restrictions, upload a file. Additionally, tamper with the client-side JavaScript to remove or alter the file size validation, allowing the upload of excessively large files.

Remediation

Users are advised to update to version 3.1.0 or later, where file extension and size validations have been improved to include server-side checks.