External control of file name or path
Description
It is possible to modify the path to which an uploaded file will be saved.
Impact
- Save files in paths other than those expected by the application.
- Overwrite important files within the system by referring to the path where the upload is performed.
Recommendation
Validate uploaded files names on the system and restrict the storage to destined folders only.
Threat
Anonymous attacker from external network.
Expected Remediation Time
⌚ 30 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: N
- Attack complexity: H
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: N
- Integrity: L
- Availability: N
Temporal
- Exploit code madurity: P
- Remediation level: X
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:X
- Score:
- Base: 3.1
- Temporal: 3.0
- Severity:
- Base: Low
- Temporal: Low
Code Examples
Compliant code
User input is validated on the server side before granting access to a file
using System;
using System.IO;
public partial class WebForm : System.Web.UI.Page {
protected void Page_Load(object sender, EventArgs e) {
string userInput = clearInput(Request.Params["UserInput"]);
string verifiedFilePath = "/myTrustedPath"
var elem = File.Open(userInput, verifiedFilePath, FileMode.Open);
}
}
Non compliant code
User input is not validated before opening a file
using System;
using System.IO;
public partial class WebForm : System.Web.UI.Page {
protected void Page_Load(object sender, EventArgs e) {
string userInput = Request.Params["UserInput"];
stirng filePath = userInput.path;
var elem = File.Open(userInput, filePath, FileMode.Edit);
}
}