A- Active Projects » BSN Corporate Digital Banking

Uploaded files represent a significant risk to applications. Many application's business process allow users to upload file on the application server. Despite many sites implement simple restrictions based on list of permitted (or blocked) extensions, it is not sufficient to prevent attackers from uploading legitimate file types that contains malicious contents.

The application may allow upload of malicious files that include exploits, without submitting them to malicious file scanning.

Solution suggested by LGMS :

'- Run the file through an antivirus or a sandbox if available to validate that it doesn't contain malicious data.

- Store the files on a different server. If that's not possible, store them outside of the webroot. In the case of public access to the files, use a handler that gets mapped to filenames inside the application (someid -> file.ext).

'Affected Module and URL:

[Auto Debit - File Upload - Enrollment]
https://10.10.55.34:9444/bsn-cdb-uat/ib126_ibAutoDebitEnrollmentFileUploadConfirm.action

[Auto Debit - File Upload - Billing]
https://10.10.55.34:9444/bsn-cdb-uat/ib126_ibAutoDebitBillingFileUploadConfirm.action

[Auto Debit - Data Entry - Enrollment Edit Data]
https://10.10.55.34:9444/bsn-cdb-uat/ib126_ibAutoDebitEnrollmentDataEntryEditDataDetail.action?isEdit=true

[Auto Debit - Data Entry - Billing Edit Data]
https://10.10.55.34:9444/bsn-cdb-uat/ib126_ibAutoDebitBillingDataEntryEditDataDetail.action?isEdit=true

[Bulk Payment - File Upload]
https://10.10.55.34:9444/bsn-cdb-uat/ib127_ibAutoCreditFileUploadConfirm.action

[Bulk Payment - Data Entry]
https://10.10.55.34:9444/bsn-cdb-uat/ib127_ibAutoCreditDataEntryEditDataDetail.action?isEdit=true

[Statutory Body - LHDN - LHDN File Upload]
https://10.10.55.34:9444/bsn-cdb-uat/ib132_ibStatutoryBodyLHDNFileUploadConfirm.action

[Statutory Body - LHDN - LHDN Data Entry]
https://10.10.55.34:9444/bsn-cdb-uat/ib132_ibStatutoryBodyLHDNDataEntryEditDataDetail.action?isEdit=true