NET Server mappath security vulnerability for getting web.config access












0















I have the following code in my MVC application for downloading App_Data server generated files.



public ActionResult DownloadFile(string fileName, string dummyName)

        {

            var path = this.HttpContext.Server.MapPath("~/App_Data/TempFiles");

            var filePath = Path.Combine(path, fileName);

            var fileExtension = Path.GetExtension(filePath);



            byte fileBytes = System.IO.File.ReadAllBytes(filePath);



            var cookie = new System.Web.HttpCookie("fileDownload", "true")

            {

                Expires = DateTime.Now.AddDays(1),

                Path = "/"

            };

            this.Response.Cookies.Add(cookie);



            return File(fileBytes, "application/octet-stream", fileName);

        }


Seems all fine without issue, but then by looking into security vulnerabilities I could use post man to send something like this:



http://localhost/testapp/employee/downloadfile/?filename=netspi- notafile.xxx../../../../web.config&dummyName=netspi-notafile.xxx


And surprise.. I could get back the web.config contents.




Any clue on how to protect this or prevent this to happen?







security asp.net-mvc-4 web-config







share|improve this question



























    0















    I have the following code in my MVC application for downloading App_Data server generated files.



    public ActionResult DownloadFile(string fileName, string dummyName)
    
        {
    
            var path = this.HttpContext.Server.MapPath("~/App_Data/TempFiles");
    
            var filePath = Path.Combine(path, fileName);
    
            var fileExtension = Path.GetExtension(filePath);
    

    
            byte fileBytes = System.IO.File.ReadAllBytes(filePath);
    

    
            var cookie = new System.Web.HttpCookie("fileDownload", "true")
    
            {
    
                Expires = DateTime.Now.AddDays(1),
    
                Path = "/"
    
            };
    
            this.Response.Cookies.Add(cookie);
    

    
            return File(fileBytes, "application/octet-stream", fileName);
    
        }


    Seems all fine without issue, but then by looking into security vulnerabilities I could use post man to send something like this:



    http://localhost/testapp/employee/downloadfile/?filename=netspi- notafile.xxx../../../../web.config&dummyName=netspi-notafile.xxx


    And surprise.. I could get back the web.config contents.




    Any clue on how to protect this or prevent this to happen?







    security asp.net-mvc-4 web-config







    share|improve this question

























      0












      0








      0


      1






      I have the following code in my MVC application for downloading App_Data server generated files.



      public ActionResult DownloadFile(string fileName, string dummyName)
      
        {
      
            var path = this.HttpContext.Server.MapPath("~/App_Data/TempFiles");
      
            var filePath = Path.Combine(path, fileName);
      
            var fileExtension = Path.GetExtension(filePath);
      

      
            byte fileBytes = System.IO.File.ReadAllBytes(filePath);
      

      
            var cookie = new System.Web.HttpCookie("fileDownload", "true")
      
            {
      
                Expires = DateTime.Now.AddDays(1),
      
                Path = "/"
      
            };
      
            this.Response.Cookies.Add(cookie);
      

      
            return File(fileBytes, "application/octet-stream", fileName);
      
        }


      Seems all fine without issue, but then by looking into security vulnerabilities I could use post man to send something like this:



      http://localhost/testapp/employee/downloadfile/?filename=netspi- notafile.xxx../../../../web.config&dummyName=netspi-notafile.xxx


      And surprise.. I could get back the web.config contents.




      Any clue on how to protect this or prevent this to happen?







      security asp.net-mvc-4 web-config







      share|improve this question














      I have the following code in my MVC application for downloading App_Data server generated files.



      public ActionResult DownloadFile(string fileName, string dummyName)
      
        {
      
            var path = this.HttpContext.Server.MapPath("~/App_Data/TempFiles");
      
            var filePath = Path.Combine(path, fileName);
      
            var fileExtension = Path.GetExtension(filePath);
      

      
            byte fileBytes = System.IO.File.ReadAllBytes(filePath);
      

      
            var cookie = new System.Web.HttpCookie("fileDownload", "true")
      
            {
      
                Expires = DateTime.Now.AddDays(1),
      
                Path = "/"
      
            };
      
            this.Response.Cookies.Add(cookie);
      

      
            return File(fileBytes, "application/octet-stream", fileName);
      
        }


      Seems all fine without issue, but then by looking into security vulnerabilities I could use post man to send something like this:



      http://localhost/testapp/employee/downloadfile/?filename=netspi- notafile.xxx../../../../web.config&dummyName=netspi-notafile.xxx


      And surprise.. I could get back the web.config contents.




      Any clue on how to protect this or prevent this to happen?







      security asp.net-mvc-4 web-config




      security asp.net-mvc-4 web-config






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 19 at 18:45









      VAAAVAAA

      5,6551570157




      5,6551570157
























          0






          active

          oldest

          votes











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54270272%2fnet-server-mappath-security-vulnerability-for-getting-web-config-access%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54270272%2fnet-server-mappath-security-vulnerability-for-getting-web-config-access%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Liquibase includeAll doesn't find base path

          Image
          0 while migrating a project from maven to gradle I ran in the following problem. My file structure looks like this: The changelog-master.xml includes the changelog-v1-0.xml, which then should include the directory v1-0 with following line: <includeAll path="src/main/resources/liquibase/changelogs/v1-0/" errorIfMissingOrEmpty="true" /> . This works just fine. This: <includeAll path="/liquibase/changelogs/v1-0/" errorIfMissingOrEmpty="true" relativeToChangelogFile="true" /> doesn't. I get following errormessage: Cannot find base path 'src/main/resources/liquibase/changelogs/changelog-v1-0.xml' with liquibase in version 3.6.2. I also tried the versions 3.6.0, 3.6.1 and 3.5.5. I am using gradle to build my project in version 4.9
          Read more

          How to use setInterval in EJS file?

          Image
          0 I have a problem with using setInterval in my EJS file, which is part of my nodejs app (with Express). I have created function getRandomSubarray , which chooses randomly subset of images from array. I want to change this subset every three seconds. This is problematic piece of my code: <%setInterval(function(){%> <%RandomSubrecipesImg=tools.getRandomSubarray(recipesImg,4)%> <div class="navbar-image-box col-sm-3 d-none d-sm-block"><img class="navbar-image" src="<%=RandomSubrecipesImg[0].replace('public',"")%>"></div> <div class="navbar-image-box col-sm-3 d-none d-sm-block"><img class="navbar-image" src="<%=RandomSubrecipesImg[1].replace('public',"")%>">&
          Read more

          Petrus Granier-Deferre

          Image
          Petrus Granier-Deferre (Lutetiae die 27 Iulii 1927 natus; ibidem die 16 Novembris 2007 mortuus) fuit moderator cinematographicus et dux scaenarum Francicus. Pelliculae selectae | 1961 : Le Petit Garçon de l'ascenseur 1962 : Les Aventures de Salavin (sous-titré Confession de minuit) 1965 : La Métamorphose des cloportes 1965 : Paris au mois d'août 1967 : Le Grand Dadais 1970 : La Horse 1971 : Le Chat 1971 : La Veuve Couderc 1973 : Le Fils 1973 : Le Train 1974 : La Race des seigneurs 1975 : La Cage 1975 : Adieu poulet 1976 : Une femme à sa fenêtre 1976 : Le Toubib 1981 : Une étrange affaire 1982 : L'Étoile du Nord 1983 : L'Ami de Vincent 1985 : L'Homme aux yeux d'argent 1986 : Cours privé 1987 : Noyade interdite 1988 : La Couleur du vent 1990 : L'Autrichienne 1995 : Le Petit Garçon 1992 : La Voix 1993 : Archipel 1995 : Maigret et la vente à la bougie (TV) 1996 : La Dernière Fête (TV) 1997 : Maigret et l'enfant de c
          Read more