Skip to main content

Lack of data validation - Path Traversal

Description

The software uses external input to construct a pathname that is intended to identify a file or directory but it does not properly neutralize or validate special elements within the pathname.

Impact

Make the software resolve the pathname to a location that is outside of the intended target, for instance: /etc/passwd.

Recommendation

  • Prevent the attacker from constructing the pathname.
  • Validate/Neutralize the input for special elements like: .., ~, /.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 45 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 5.3
    • Temporal: 5.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application should avoid redirecting based on external inputs, but, if needed, should always validate the values and sanitize them

public partial class WebForm : System.Web.UI.Page {
protected void Page_Load(object sender, EventArgs e) {
string input = Request.Form[""url""];
input = input.replaceAll("[~^\(/.)]*", "");
Response.Redirect(input);
}
}

Non compliant code

There are some inputs used to redirect the user without validation

public partial class WebForm : System.Web.UI.Page{
protected void Page_Load(object sender, EventArgs e) {
string input = Request.Form[""url""];
Response.Redirect(input);
}
}

The application does not perform server side validation of values

public void bad() throws Throwable {
String data;
//Code to open the connection and read the data not shown

if (data != null) {
// POTENTIAL FLAW: no validation of concatenated value
File file = new File(root + data);
FileInputStream streamFileInputSink = null;
InputStreamReader readerInputStreamSink = null;
BufferedReader readerBufferdSink = null;
if (file.exists() && file.isFile()) {
dosomething()
}
}
}

Requirements