Arbitrary File Write

Arbitrary File Write is a critical vulnerability that allows attackers to write or create files at arbitrary locations on the server's filesystem. This typically leads to remote code execution by writing web shells or modifying configuration files.

How It Works

When an application writes files based on user-controlled paths without proper validation, attackers can write files to sensitive locations, potentially achieving code execution, privilege escalation, or denial of service.

Common Vulnerable Patterns

# File upload with path control
POST /upload?path=../../../var/www/html/shell.php

# Log file path manipulation
POST /settings?logfile=../../../var/www/html/backdoor.php

# Configuration export
POST /export?file=../../../.ssh/authorized_keys

# Archive extraction (Zip Slip)
# Malicious archive contains: ../../../var/www/html/shell.php

Exploitation Goals

• Web shell: Write PHP/JSP/ASP file to web root
• SSH access: Add key to ~/.ssh/authorized_keys
• Cron jobs: Write to /etc/cron.d/ for persistence
• Config modification: Alter application settings
• Denial of service: Overwrite critical system files

Zip Slip Vulnerability

# Malicious archive entry name:
../../../var/www/html/shell.php

# When extracted without path validation, writes outside
# the intended extraction directory

Prevention

• Never use user input directly in file paths
• Validate extracted archive entry paths
• Use allowlists for permitted directories
• Run application with minimal write permissions

See Also

• Arbitrary File Read
• Path Traversal