...
This vulnerability exists when an application accepts direct ogject object reference to a specific filename as an input parabeter parameter and then servers that file to the user. A malicious attacker can then traverse through arbitrary directories on the server to view files which would not normally be accessible, including sensitive files such as /etc/password.
...
Implement ESAPI.validator:ESAPI.validator().isValidFileName("context"“context”, filename, false)
Learn More:
...
OWASP Testing Guide: Testing for Error Codes
OWASP Top 10 2004 - – Insecure Configuration Management
...