Description
The /api/FileViewr/ endpoint on <hostlocal.com> accepts a user-controlled fileName parameter and returns the contents of arbitrary files from the host filesystem. I was able to retrieve C:\Windows\win.ini. This indicates insufficient input validation and lack of path canonicalization / allowlisting, resulting in Local File Disclosure (LFD) / Path Traversal.
-
Affected endpoint: GET /api/FileViewr/?fileName=
-
Impact: Disclosure of arbitrary local files readable by the application process. Classified as High risk due to the potential to leak configuration files, secrets, credentials, or other sensitive information.
Proof of Concept (sanitized)
Evidence below is limited to request headers and a minimal harmless file snippet for proof. Sensitive contents (secrets, full configs) are not included.
GET /api/FileViewr/?fileName=c%3a%5cwindows%5cwin.ini HTTP/2
Host: hostlocal.com
User-Agent: Mozilla/5.0 ...
Accept: */*
Page URL
https://learn.microsoft.com/ar-sa/aspnet/core/blazor/security/interactive-server-side-rendering?view=aspnetcore-9.0
Content source URL
https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/security/interactive-server-side-rendering.md
Document ID
17ec9ee6-3d68-deb8-1c6b-27465837e038
Platform Id
7ddd95b4-62e6-06c4-dd4f-c77a3c2f79b4
Article author
@guardrex
Metadata
- ID: 17ec9ee6-3d68-deb8-1c6b-27465837e038
- PlatformId: 7ddd95b4-62e6-06c4-dd4f-c77a3c2f79b4
- Service: aspnet-core
- Sub-service: blazor
Related Issues
Description
The /api/FileViewr/ endpoint on <hostlocal.com> accepts a user-controlled fileName parameter and returns the contents of arbitrary files from the host filesystem. I was able to retrieve C:\Windows\win.ini. This indicates insufficient input validation and lack of path canonicalization / allowlisting, resulting in Local File Disclosure (LFD) / Path Traversal.
Affected endpoint: GET /api/FileViewr/?fileName=
Impact: Disclosure of arbitrary local files readable by the application process. Classified as High risk due to the potential to leak configuration files, secrets, credentials, or other sensitive information.
Proof of Concept (sanitized)
Evidence below is limited to request headers and a minimal harmless file snippet for proof. Sensitive contents (secrets, full configs) are not included.
Page URL
https://learn.microsoft.com/ar-sa/aspnet/core/blazor/security/interactive-server-side-rendering?view=aspnetcore-9.0
Content source URL
https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/security/interactive-server-side-rendering.md
Document ID
17ec9ee6-3d68-deb8-1c6b-27465837e038
Platform Id
7ddd95b4-62e6-06c4-dd4f-c77a3c2f79b4
Article author
@guardrex
Metadata
Related Issues