2742dcd14d
* Add csharp to rule S6549 * Add RSPEC for S6549 for C# * Update rules/S6549/csharp/how-to-fix-it/asp.net.adoc Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Update rules/S6549/csharp/how-to-fix-it/asp.net.adoc Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Update rules/S6549/csharp/how-to-fix-it/asp.net.adoc Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Correct function name --------- Co-authored-by: daniel-teuchert-sonarsource <daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com> Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com>
13 lines
671 B
Plaintext
13 lines
671 B
Plaintext
=== What is the potential impact?
|
|
|
|
An attacker exploiting a filesystem oracle vulnerability can determine if a file exists or not.
|
|
|
|
The files that can be affected are limited by the permission of the process
|
|
that runs the application. Worst case scenario: the process runs with elevated privileges, and therefore any file can be affected.
|
|
|
|
Below are some real-world scenarios that illustrate some impacts of an attacker
|
|
exploiting the vulnerability.
|
|
|
|
==== Information gathering
|
|
|
|
The vulnerability is exploited to gather information about the host system. The filesystem oracle can help identify user accounts, running services, or the exact version of installed software. |