All geek questions in one place

Path Manipulation (Security Vulnerability)

An accelerated security review informed us of some traffic manipulation vulnerabilities. Most of them were obvious and easy fixes, but I don’t understand how to fix the following.

string[] wsdlFiles = System.IO.Directory.GetFiles(wsdlPath, "*.wsdl");

"wsdlPath" is entered from the text field. Is that just impossible to fix? I can check the path, etc., but how does this help the vulnerability?

+6
source share
3 answers

If the data is always obtained from a text field whose contents are defined by the user, and the code is executed with the permissions of that user, then the only threat is the user's attack. This is not an interesting threat.

The vulnerability that the tool is trying to warn about you is that if low-confidence walking code can determine the contents of this line, then the hostile code can mount an attempt to detect facts about the user machine, such as "there is such and such a program that I know , has a security vulnerability installed and not loaded? " or "is there a user named admin on this machine?" etc.

+8
source

You should never feed anything directly in the OS API without filtering. You must misinform the input, make sure that it does not contain paths (for example, β€œ../../../somefile.” Make sure that it truncates long names and contains only valid file names (for example, there were different errors related to international characters).

+2
source

Using this code, any authenticated user who has the right to use this function can access the file system on the server. Access will be made using the credentials of the service account that runs the web application.

Depending on how the returned data is used, an attacker can obtain additional information or force the server to behave in a way that is not intended.

You must limit the set of valid paths to only the state of one or more carefully selected directories. Use the functions of the Path class to concatenate strings in a path - they take care of things like the user c:\allowedpath\..\windows\system32 for you.

+1
source

Source: https://habr.com/ru/post/912869/

More articles:


All Articles