Can reading a file be as dangerous as executing it

Question

In Perl, if any file type is allowed to be uploaded to a server (not in web root) and consequently downloaded, can this be dangerous? It's not being executed as such but read as binary.

Answer 1

I'll reiterate @ThisSuitIsBlackNot's links to file upload security considerations...

• Unrestricted File Upload Vulnerabilities
• Complete File Upload Vulnerabilities which is not complete at all but includes some good examples.
• CWE-434: Unrestricted Upload of File with Dangerous Type
• 8 Basic Rules to Implement Secure File Uploads

These can be boiled down to...

• Dangers to your server
  • Injecting a special file or file extension which the server will execute.
    • .htaccess (per-directory Apache configuration file)
    • .php, .asp, .cgi, etc...
  • Injecting a system file outside the download directory.
    • /etc/passwd or ../../../../etc/passwd
  • Exploiting a flaw in a processing library
    • Image resize
    • XML/JSON parsing
  • SQL injection attack
    • Filename
    • File metadata
  • Shell injection attack
    • Filename
  • Buffer overflow
    • File size
    • HTTP upload size
    • Filename size
    • Directory depth
  • Denial Of Service by filling the disk
• Dangers to others
  • Phishing attack
    • Upload a malicious .html file making it appear the URL is coming from your (trusted) host.
    • Upload a malicious .js file and refer to it from elsewhere in your domain (perhaps a forum post) to circumvent XSS attack defenses.
  • Using your service as an anonymous attack vector
    • BOTnet control files
    • Pirated files including torrents
    • Personal data for blackmail or harassment purposes
    • Trojan/virus files