First post here, so time to make a fool of myself I guess.
I’ve been working on a file upload script, and as part of debugging an unrelated issue I dumped out form/url/etc parameters, when something jumped out to me. The name of the temporary file was this:
which just seemed really… basic. This was then followed up by another thought. The format looks pretty simple, just something like tmp-#itr#.upload
Could an attacker try submitting a bunch of requests, and just iterating through that value? I don’t even think they would have to submit a file, since it’s essentially just a text field containing the filename at that point.
I was hoping someone would give me a quick rundown on what happens behind the scenes when a file gets uploaded, and how these names are generated, and if there are measures in place that prevent an attack like this from happening?
And would it hurt anything to have the names be a bit more complicated? Usually I do something like
when I need a file to have a unique/difficult to guess name.
EDIT: Felt like I should go ahead and note this as well. I am assuming there are measures in place, but I wasn’t able to find anything in the documentation about it. My guess is that the temp name placed in the form field doesn’t actually correspond file name as it’s stored on the disk but is rather mapped in some table, possibly stored in the session variable, which is where the original name, date last modified, etc are also kept. Again though, that’s just a guess.