...
This vulnerability exists when an application accepts direct ogject object reference to a specific filename as an input parabeter parameter and then servers that file to the user. A malicious attacker can then traverse through arbitrary directories on the server to view files which would not normally be accessible, including sensitive files such as /etc/password.
...
Implement ESAPI.validator:ESAPI.validator().isValidFileName("context"“context”, filename, false)
Learn More:
OWASP Development Guide: Chapter on Configuration
OWASP Code Review Guide: Chapter on Error Handling
http://www.owasp.org/index.php/Error_HandlingOWASP Testing Guide: Configuration Management
OWASP Testing Guide: Testing for Error Codes
OWASP Top 10 2004 – Insecure Configuration Management
http://www.owasp.org/index.php/A10_2004_Insecure_Configuration_ManagementPC Magazine Article on Web Server Hardening