Audit: Writing to a file that's in a publicly accessible directory CS-A1012

Writing to a log file is a perfectly normal behavior that most applications adopt. However, care must be taken that:

1. The data that is being logged does not contain potentially sensitive information,
2. Log files are cleared when no longer needed,
3. Log files are placed in a directory with appropriate permissions.

However, in this case, the application is writing to a log file that is in a directory that can be publicly accessible. It is recommended that you verify that no sensitive data is being written to this log file and if possible, move the log file to a more appropriate and tightly controlled directory.

Bad Practice

var logfile = new StreamWriter("/tmp/log");

Recommended

var logfile = new StreamWriter("/some/appropriate/path/log");

Reference

• A01:2021: Broken Access Control
• A05:2017: Broken Access Control
• A03:2017: Sensitive Data Exposure
• CWE-377: Insecure Temporary File
• CWE-379: Creation of Temporary File in Directory with Insecure Permissions