Web Server Path Traversal

Impact: High


When a web server fails to normalize and validate the ../ sequence properly, it enables attackers to access files outside the public web directory. This vulnerability can lead to reading sensitive system files like /etc/passwd or application configurations files. This issue might be because of a bug in the web server or the router application serving static files.


Make sure the web server is up to date. If you’re using a component for serving the static files update it as well. Finally, debug and trace your web application to find where the route is dispatched and use validation to prevent serving files outside of the intended path.


Last updated on October 10, 2021

This issue is available in SmartScanner Professional

See Pricing