DerScanner
Home / Vulnerability Database / PHP : File system manipulation
PHP

PHP : File system manipulation

Classification

OWASP Top 10 2013
A7-Missing Function Level Access Control
OWASP Top 10 2017
A5-Broken Access Control
OWASP Top 10 2021
A1-Broken Access ControlA4-Insecure Design
OWASP ASVS
Files and Resources
PCI DSS 4.0
6.2.4
HIPAA
§164.312 (a)(1)
CWE
CWE-22CWE-73CWE-434CWE-642CWE-785
CWE/SANS Top 25 2011
CWE-22CWE-434
CWE/SANS Top 25 2021
CWE-22CWE-434

Overview

The application uses a package for file system management. If the arguments of the function originate from an untrusted source, an adversary can modify tablespace datafiles and control files.

References

  1. OWASP Top 10 2017-A5-Broken Access Control
  2. CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  3. CWE-73: External Control of File Name or Path
  4. CWE-785: Use of Path Manipulation Function without Maximum-sized Buffer
CRITICAL

DerScanner Severity Score

Do you want to fix PHP : File system manipulation in your application?

See also

PHP

PHP : Null salt

PHP

PHP : Empty password

PHP

PHP : Empty salt