Bug #127734 for Cloudinary: Malicious File Upload

Dear Sir, I am Sachin Gupta from India.I am a Security Researcher.I have found a security vulnerability in your website. Malicious File Upload: Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise.Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users. Link - https://cloudinary.com/jobs/ta_lead Upload Null byte File. Solution: The following solutions are recommended to fix this flaw: I. Application should check allowed File extension and File type (MIME Type) in the upload module using white-list filter at server side. II. File to be uploaded should be restricted to a particular size. III. Server side check for not allowing long filename with double extension/double dot(.)/nullbyte(%00)/meta characters. IV. Assign only Read and Write permissions to the upload folders as required. -- Sachin Gupta Managing Director www.cyberzone.org.in +91-8418888833 Official Page- https://www.facebook.com/LearnethicalHackingFromSachinGuptaMayankKhare