Skip to main content

External control of file name or path

Description

It is possible to modify the path to which an uploaded file will be saved.

Impact

  • Save files in paths other than those expected by the application.
  • Overwrite important files within the system by referring to the path where the upload is performed.

Recommendation

Validate uploaded files names on the system and restrict the storage to destined folders only.

Threat

Anonymous attacker from external network.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:X
  • Score:
    • Base: 3.1
    • Temporal: 3.0
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

User input is validated on the server side before granting access to a file

using System;
using System.IO;
public partial class WebForm : System.Web.UI.Page {
protected void Page_Load(object sender, EventArgs e) {
string userInput = clearInput(Request.Params["UserInput"]);
string verifiedFilePath = "/myTrustedPath"
var elem = File.Open(userInput, verifiedFilePath, FileMode.Open);
}
}

Non compliant code

User input is not validated before opening a file

using System;
using System.IO;
public partial class WebForm : System.Web.UI.Page {
protected void Page_Load(object sender, EventArgs e) {
string userInput = Request.Params["UserInput"];
stirng filePath = userInput.path;
var elem = File.Open(userInput, filePath, FileMode.Edit);
}
}

Requirements