File upload validation bypass

Apache2 .htaccess upload method

If .htaccess file can be uploaded to the root of the website, validations on the server side can be bypassed by uploading a new .htaccess file and manipulating the server into considering a file extension to be an another file type to be executed. Code execution can be achieved using this method. For example having a file extension .malicious, the server can be tricked into considering files with this extensions as PHP files, thus we can execute PHP code stored in these files

# /var/wwwroot/html/.htaccess
# ...
AddType application/x-httpd-php .malicious
# ...

After uploading revshell.malicious to the server (which is now a valid file and will be executed as a PHP file), we can access the file and get a reverse shell Mitigation:

Thorough file upload validation (checking MIME types and extensions, do not allow dotfile uploads)
Use file type whitelist
Do not use file type blacklist (blacklist could not be sufficient and the .htaccess file could easily be forgotten to be added)

Apache2 .htaccess upload method​

Apache2 .htaccess upload method