directory traversal security issue

Welcome to Wisej Support.
Questions, suggestions and plain old bugs - are all welcome here!

While playing with your beautiful framework I found a critical security issue which allows to do a directory traversal attack. It is possible to download and delete files on the server.

For example, to download the web.config you can call

Using the download.wx an attacker needs to know that the x-parameter is a base64 encoded string. The decoded example above is {“file”:”web.config”,”name”:”web.config”,”delete”:false}
To delete an file an attacker needs to change the delete property to true.

Maybe the resource.wx should only allows files from specific whitelisted folder. The download.wx should use a token generated per session by Application.Download to avoid an information disclosure.

best regards


  • You must to post comments


this has been logged as WJ-7254 and already fixed in the nightly build (, the way Luca described it.

Best regards

  • You must to post comments

Thank you again. There was something that didn’t feel right about those callbacks…

This is how we solved it:

  • all internal resource requests must include a valid/active session id in the base64 package: when the session is retrieved by Wisej SessionManager it always checks the client fingerprint to avoid session hijacking.
  • all download requests (without the session id – since we don’t want to give out the sid in a downloadable link) are limited to the application’s root folder or the application’s temp folder in {system’s temp}\Wisej\{ApplicationName}\Temp.
  • the delete option is removed and temporary images are deleted by default.
  • all downloads from /bin are disallowed.
  • all download from /App_Data are disallowed.
  • all .json, .config, .dll downloads are disallowed.
  • for resources requests, only these types are allowed: jpg, gif, jpeg, png, js, css.

Please note that these restrictions only apply to files and resources managed by Wisej. Any common file/image request will always go through the browser.

When any of the conditions above fails, wisej returns 404 (not found).

We will keep checking for any additional potential unsafe resource access.



  • You must to post comments

Hi Bernhard,

thanks for bringing this our attention. I have logged this security as WJ-7254 and we will adress it asap.
I will post an answer when it is fixed.

Best regards
Frank Boettcher

  • You must to post comments
Showing 3 results
Your Answer
Post as a guest by filling out the fields below or if you already have an account.
File Name Size
There are currently no files uploaded.
Maximum number of files 5, maximum file size 3.9MB.
Supported file formats: zip pdf gif jpg bmp png cs vb theme json