I ran a Gray Box Assessment test for an application i developed and i have some vulnerabilities, specific a Path Manipulation in the Input Validation Category.
I have in my code:
if (move_uploaded_file($_FILES["file"]["tmp_name"],"contacts_load/" . $fileName)) {
if ($import = fopen ("contacts_load/" . $fileName,"r")) {
and:
unlink("contacts_load/" . $fileName);
The problem is in contacts_load/.
Below you are going to find some information about this:
Description: Allowing user input to control paths used in filesystem operations could enable an attacker to access or modify otherwise protected system resources.
Specific Scenario:
Path manipulation errors occur when the following two conditions are met:
An attacker can specify a path used in an operation on the filesystem.
By specifying the resource, the attacker gains a capability that would not otherwise be permitted.
For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.
How can i prevent the path manipulation for this specific scenario?
There is no problem with contacts_load/. The user cannot modify it.
I do recommend you sanitize $_FILES["file"]["name"] though. This answer should be helpful.