File-Based or Directory-Based Attacks

If user input is used as the basis for a file or directory name to open a file, an attacker could manipulate the input to open the file from an unintended location. Suppose you create the following Public function in a server application to save user settings to the file. Your intent is to save the file to the same location as the application by using the Application.StartupPath function.

Public Sub SaveSettings(ByVal UserName As String, _
    ByVal Settings As String)
  Dim hFile As Integer = FreeFile()
  Dim Filename As String = Application.StartupPath & "\" & _
    UserName
  FileOpen(hFile, Filename, OpenMode.Output)
  PrintLine(hFile, Settings)
  FileClose(hFile)
End Sub

Tip

In the case of ASP.NET Web applications, use

Get Security for Microsoft® Visual Basic® .NET now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.