#### Title Directory Traversal Vulnerability Allowing Access to Sensitive Files #### Summary The application is vulnerable to directory traversal via a user-controlled file path parameter. When I can manipulate the file path to access files their not intended to access. This allows unauthorized reading of sensitive system files. #### Vulnerable Endpoint Example: GET /image?filename= .... #### Vulnerability Type * Path Traversal * Local File Inclusion (LFI) behavior #### Technical Analysis The application loads files from a directory based on a user-supplied filename parameter. However, the application does not properly sanitize input to prevent directory traversal sequences such as: ../ By injecting traversal sequences, it is possible to escape the intended directory and access arbitrary files on the server. Example traversal pattern: ../../../etc/passwd This shows that the application fails to restrict file access to a safe directory. #### Proof of Concept By modifying the filename parameter to include directory traversal sequences, it was possible to retrieve sensitive system files. The response contained contents of a system file, confirming successful exploitation. #### Impact An attacker could: * Read sensitive files (e.g., system configuration files) * Retrieve application source code * Access credentials * Identify internal paths for further attacks Depending on configuration, this may lead to: * Information disclosure * Credential leakage * Full system compromise (if chained with other vulnerabilities) **Severity: High** #### Root Cause Lack of: * Input validation * Canonical path validation * Proper restriction to a fixed directory The server does not normalize and validate the resolved file path before access. #### MITIGATION * Normalize paths before file access * Reject traversal sequences (../) * Use strict allow-lists for filenames * Store files outside the web root * Use indirect file references (IDs instead of raw filenames)