Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Arbitrary File Deletion

Description

This script is vulnerable to arbitrary file deletion.

This issue allows an attacker to influence calls to the 'unlink()' function and delete arbitrary files. Due to a lack of input validation, an attacker can supply directory traversal sequences followed by an arbitrary file name to delete specific files.

Remediation

Your script should filter metacharacters from user input.

References

Acunetix Directory Traversal Attacks

Related Vulnerabilities

Moodle Improper Input Validation Vulnerability (CVE-2021-3943)

MyBB Improper Input Validation Vulnerability (CVE-2019-12831)

PHP Improper Input Validation Vulnerability (CVE-2015-8879)

Jboss EAP Improper Input Validation Vulnerability (CVE-2011-4314)

phpMyAdmin Improper Input Validation Vulnerability (CVE-2016-9859)

Severity

High

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Arbitrary File Creation Denial Of Service