Applications behave as filesystem oracles when they disclose to attackers if resources from the filesystem exist or not.
A user with malicious intent would inject specially crafted values, such as ../, to change the initially intended path. The resulting
path would resolve to a location somewhere in the filesystem which the user should not normally have access to.
What is the potential impact?
An attacker exploiting a filesystem oracle vulnerability can determine if a file exists or not.
The files that can be affected are limited by the permission of the process that runs the application. Worst case scenario: the process runs with
elevated privileges, and therefore any file can be affected.
Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the vulnerability.
Information gathering
The vulnerability is exploited to gather information about the host system. The filesystem oracle can help identify user accounts, running
services, or the exact version of installed software.
