A pentest company mentioned our web app has a vulnerability because users are able to upload viruses disguised as .txt/image (.jpg etc) files. Only the format of the file is checked (.exe is not allowed).
These files are uploaded to Azure blob storage, and can later be downloaded via a link to the blob.
They uploaded eicar.exe.txt. However I don’t see this being an issue.
The only way these viruses could execute is if the victim renamed them to .exe and then ran them.
The company recommended we look into running virus scanning software for the blobs.
Is anyone able to explain to me, step by step, how a virus in a .txt or .jpg file, could end up being executed on a victim’s computer, if the victim was emailed a link to the blob, for example?