098 – External control of file name or path

Description

It is possible to modify the path to which an uploaded file will be saved.

Impact

- Save files in paths other than those expected by the application. - Overwrite important files within the system by referring to the path where the upload is performed.

Recommendation

Validate uploaded files names on the system and restrict the storage to destined folders only.

Threat

Anonymous attacker from external network.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 037 - Parameters without sensitive data
• 320 - Avoid client-side control enforcement

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/12