Another flaw has been identified and that is related to "Directory Traversal". Can you please provide a justification for this so that I can forward the same to Veracode team. Please find the details below.
Description is as follow:
Scope |
Function Prototype |
telerik_web_ui_dll.Telerik.Web.UI.Widgets.FileSystemContentProvider |
string CopyDirectory(string, string) |
This call to mscorlib_dll.System.IO.Directory.CreateDirectory() contains a path manipulation flaw. The argument to the function is a filename constructed using user-supplied input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to CreateDirectory() contains tainted data. The tainted data originated from earlier calls to system_web_dll.system.web.ui.control.get_viewstate, and system_web_dll.system.web.httprequest.get_applicationpath.
Validate all user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters.
References:
CWE (
http://cwe.mitre.org/data/definitions/73.html)
WASC (
http://webappsec.pbworks.com/Path-Traversal)
telerik_web_ui_dll.Telerik.Web.UI.Dictionaries.FileCustomDictionarySource |
void AddWord(string) |
This call to mscorlib_dll.System.IO.StreamReader.!newinit_0_2() contains a path manipulation flaw. The argument to the function is a filename constructed using user-supplied input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to !newinit_0_2() contains tainted data. The tainted data originated from an earlier call to system_web_dll.system.web.httprequest.get_form.
Validate all user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters.
References:
CWE (http://cwe.mitre.org/data/definitions/73.html)
WASC (http://webappsec.pbworks.com/Path-Traversal)
telerik_web_ui_dll.Telerik.Web.UI.RadFileExplorer |
void DeleteItems(string[]) |
This call to telerik_web_ui_dll.Telerik.Web.UI.Widgets.FileBrowserContentProvider.DeleteFile() contains a path manipulation flaw. The argument to the function is a filename constructed using user-supplied input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to DeleteFile() contains tainted data. The tainted data originated from earlier calls to system_web_dll.system.web.ui.control.get_viewstate, and system_web_dll.system.web.httprequest.get_params.
Validate all user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters.
References:
CWE (http://cwe.mitre.org/data/definitions/73.html)
WASC (http://webappsec.pbworks.com/Path-Traversal)