Home / Uncategories / Path Manipulation

Path Manipulation

-

Description

Path manipulation errors occur when the following two conditions are met:
  1. An attacker can specify a path used in an operation on the filesystem.
  2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.
Allowing user input to control paths used in filesystem operations may enable an attacker to access or modify protected system resources.

Risk Factors

TBD

Examples

Example 1

The following code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files.
	String rName = request.getParameter("reportName");
	File rFile = new File("/usr/local/apfr/reports/" + rName);
	...
	rFile.delete();

Example 2

The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt.
	fis = new FileInputStream(cfg.getProperty("sub")+".txt");
	amt = fis.read(arr);
	out.println(arr);

Share on Google Plus

About Blackiish

This is a short description in the author block about the author. You edit it by entering text in the "Biographical Info" field in the user admin panel.

7 comments:

  1. Dulce6 July 2017 at 05:50

    I found the content very informative, very good! Highly recommend!

    ReplyDelete
  2. João Paulo6 July 2017 at 07:50

    I really liked it ! Very relevant content! Blog added to favorites.

    ReplyDelete
  3. Unknown26 August 2017 at 11:55

    Hello, Need hacking services?Be warned, most of these so called hackers here are impostors, I know how real hackers work, they never advertise themselves in such a credulous manner and they are always discrete. I’ve been ripped off so many times out of desperation trying to find urgent help to change my school results, finally my friend introduced me to a reliable hacker who work with discretion and delivers, he does all sorts of hacks but he helped me;
    -Changed my school grades
    -Hacked my cheating boyfriend email/facebook,whatsapp,instagram,with snapchat
    -The most of it all, he helped me with Western union money transfer and i tracked and confirm the money before i paid him his fee. I have made him my permanent hacker and you can as well enjoy his services.You can contact him at BESTHACKGAME@GMAIL.COM request for any hacking services and also endeavor to spread the good news on how he helped you.
    Tell him Sandra reffered you.

    ReplyDelete
  4. neme amber28 February 2020 at 17:21

    I got my already programmed and blanked ATM card to withdraw the maximum of $1,000 daily for a maximum of 20 days. I am so happy about this because i got mine last week and I have used it to get $20,000. Mike Fisher Hackers is giving out the card just to help the poor and needy though it is illegal but it is something nice and he is not like other scam pretending to have the blank ATM cards. And no one gets caught when using the card. get yours from Mike Fisher Hackers today! *email cyberhackingcompany@gmail.com

    ReplyDelete
  5. jane holly25 May 2020 at 13:01

    This professional hacker is absolutely reliable and I strongly recommend him for any type of hack you require. I know this because I have hired him severally for various hacks and he has never disappointed me nor any of my friends who have hired him too, he can help you with any of the following hacks:

    -Phone hacks (remotely)
    -Credit repair
    -Bitcoin recovery (any cryptocurrency)
    -Make money from home (USA only)
    -Social media hacks
    -Website hacks
    -Erase criminal records (USA & Canada only)
    -Grade change

    Email: onlineghosthacker247@ gmail .com

    ReplyDelete
  6. felisha green3 June 2020 at 09:24


    If you ever want to change or up your university grades contact cybergolden hacker he'll get it done and show a proof of work done before payment. He's efficient, reliable and affordable. He can also perform all sorts of hacks including text, whatsapp, password decrypt,hack any mobile phone, Escape Bancruptcy, Delete Criminal Records and the rest

    Email: cybergoldenhacker at gmail dot com

    ReplyDelete
  7. Amalia Eva20 January 2021 at 23:30

    He is a professional hacker, he is absolutely reliable and I strongly recommend him for any types of hacking jobs you require. why i said this is because I have engaged him severally in various hacking jobs and he has never disappointed me nor any of my friends who have hired him also, He has really proven himself to be a professional and a reliable hacker, He can help you out with any hacking jobs including this:

    -Cell Phones hacking (remotely)
    -Credit Repair
    -Bitcoin Recovery (Any type of Cryptocurrencies)
    -Make money from Home (Any Countries)
    -Social media Hacking
    -Website Hacking
    -Erasing of criminal Records (Any Countries)
    -Grade Change

    Email him via: hackingsetting50@gmail.com

    ReplyDelete

Subscribe to: Post Comments ( Atom )