Description

This script is vulnerable to arbitrary file creation.

This issue allows an attacker to influence calls to functions which create files/directories and create arbitrary files. Due to a lack of input validation, an attacker can supply directory traversal sequences followed by an arbitrary file name to create specific files.

Remediation

Your script should filter metacharacters from user input.

References

Acunetix Directory Traversal Attacks

Related Vulnerabilities

MediaWiki Improper Input Validation Vulnerability (CVE-2017-0366)

SharePoint Improper Input Validation Vulnerability (CVE-2019-0604)

Same origin method execution (SOME)

Squid Improper Input Validation Vulnerability (CVE-2013-1839)

OpenSSL Improper Input Validation Vulnerability (CVE-2010-0740)

Severity

High

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Arbitrary File Creation