Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
| Property | |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
User input is combined into file paths using Path.Combine without first sanitizing it with Path.GetFileName. This allows attackers to craft input that accesses files or directories outside the intended location.
Impact#
If exploited, an attacker could read from or write to sensitive files on the server by performing path traversal (e.g., using ‘../’). This can lead to data exposure, overwriting important files, or enabling further attacks against the system.