Suppose user input is used as the source for a file or directory name to open a file, an attacker could manipulate the input to open the file from an unintended location. Suppose you created the following Public function in a server application to preserve user settings to the file. Your intent is to save the file to the same location as the application by using the Application.StartupPath function.
Public Sub SaveSettings(ByVal UserName As String, _

ByVal Settings As String)
Dim hFile As Integer = FreeFile()
Dim Filename As String = Application.StartupPath & "\" & _
UserName
FileOpen(hFile, Filename, OpenMode.Output)
PrintLine(hFile, Settings)
FileClose(hFile)
End Sub


If an attacker can describe this function by bypassing in unexpected directory paths such as a path containing 2 dots symbolizing the parent directory (..), the attacker can cause the SaveSettings function to create a file any where on the current disk drive, overwriting any file with the identical name.

For instance, if the attacker passes a user name value such as ..\..\..\..\..\..\Windows\NotePad.Exe, the SaveSettings system will overwrite Notepad—that is, assuming the operating system is installed on the matching drive as the application, Windows is installed to a directory named Windows off of the root directory, and that the attacker has supplied enough parent directory paths (..) commands to refer to the root of the disk drive.
The attacker is assisted by the fact that the operating system treats an overabundance of parent (..) directory specifiers as a path reference to the root directory.

The attacker can simply offer an overabundance of parent (..) directory specifiers to ensure a path reference to the root directory followed by the name of the Windows directory. In the example just given, the attacker by passing ..\..\..\..\..\.. as part of the user name value assumes that the application is nested no more than six directories deep under the root directory.

Visualize further that instead of Notepad.Exe the attacker furnished the name of a critical operating system file or a personal file (located in any other directory), and that too was overwritten with the contents of the settings string.

In addition, what if your application unintentionally gives the attacker the ability to not only save the file wherever he wants, but to determine the contents of the file as well?

The attacker could overwrite an .EXE such as NOTEPAD.EXE with his own file called NOTEPAD.EXE containing his own custom executable code—for example, code that calls FORMAT.COM to erase the contents of one of your hard disk drives. The changes the attacker made to NOTEPAD.EXE would lay dormant until another user (perhaps you) comes along and executes it—and poof! All the data on one of your hard drives is erased.