Able to upload malicious files to Pega Cloud File Storage
User can upload malicious files to Pega Cloud File Storage. The file storage does not detect EICAR files.
Steps to Reproduce
Drag and drop malicious files to Pega Cloud File Storage system.
A defect in Pegasystems’ code or rules.
With the 'Select Files' option, the file is uploaded to the Service Export Directory on the server. This initiated the anti-virus run and the file is quarantined if it had a virus. In the 'Uploading file with 'drag-drop' option, the file is sent as a form parameter to the server. This skipped the anti-virus run because the uploaded file is not a physical file on the server directory but sent as a form parameter in the HTTP request (POST).
0% found this useful