File path traversal

[i5d6]

Description

The /api/FileViewr/ endpoint on <hostlocal.com> accepts a user-controlled fileName parameter and returns the contents of arbitrary files from the host filesystem. I was able to retrieve C:\Windows\win.ini. This indicates insufficient input validation and lack of path canonicalization / allowlisting, resulting in Local File Disclosure (LFD) / Path Traversal.

• Affected endpoint: GET /api/FileViewr/?fileName=

• Impact: Disclosure of arbitrary local files readable by the application process. Classified as High risk due to the potential to leak configuration files, secrets, credentials, or other sensitive information.

Proof of Concept (sanitized)

Evidence below is limited to request headers and a minimal harmless file snippet for proof. Sensitive contents (secrets, full configs) are not included.

GET /api/FileViewr/?fileName=c%3a%5cwindows%5cwin.ini HTTP/2
Host: hostlocal.com
User-Agent: Mozilla/5.0 ...
Accept: */*

Page URL

https://learn.microsoft.com/ar-sa/aspnet/core/blazor/security/interactive-server-side-rendering?view=aspnetcore-9.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/security/interactive-server-side-rendering.md

Document ID

17ec9ee6-3d68-deb8-1c6b-27465837e038

Platform Id

7ddd95b4-62e6-06c4-dd4f-c77a3c2f79b4

Article author

@guardrex

Metadata

• ID: 17ec9ee6-3d68-deb8-1c6b-27465837e038
• PlatformId: 7ddd95b4-62e6-06c4-dd4f-c77a3c2f79b4
• Service: aspnet-core
• Sub-service: blazor

Related Issues

[github-actions]

🧟💀 Happy Halloween!!_* 🎃🧛

Stand-by! ... A green dinosaur 🦖 will be along shortly to assist.

[guardrex]

Hello @i5d6 ... We only work on documentation on this repo. Please open this for the product unit at ...

https://github.com/dotnet/aspnetcore/issues

cc: @danroth27 @lewing @blowdart