A Path Traversal attack aims to access files and directories that are stored outside the web root folder by manipulating variables that reference files with "dot-dot-slash" sequences and its variations. This can allow an attacker to access arbitrary files and directories stored on file system, including application source code, configuration and critical system files.
During testing, it was possible for an administrator user to exploit the RoxyFileman file upload functionality to read and write arbitrary files on the server. For example it was possible to read the DataSettings.json file in the /App_Data/ folder containing the connection string to the database server or to save a file in the C:/Users/Public/ folder. This was exploited during the creation of a new product, in the image upload functionality of the full description field.
Sample affected URL:
https://smarthomestore.xxx.com/Admin/RoxyFileman/ProcessRequest?a=UPLOAD (Write)
Note: It was not possible to delete all files uploaded during the test and as such it is recommended to review the files in the following folders:
C:\Users\Public\ C:\inetpub\SmartHome\ C:\inetpub\SmartHome\wwwroot\images\
Got this fail from pen test
Directory browsing isn't on