Access Validation Error High Vega has detected a local file include vulnerability. Local file include attacks may allow for unauthorized access to files on the local server, including files outside of the webroot. This could aid in an attacker obtaining unauthorized access to the server. To prevent this type of vulnerability, the developer should canonicalize the path of any filesystem resource that has a path composed of externally-supplied input and then perform an authorization check prior to access. The realpath() library call will return the canonical path of the resource. It is implemented in PHP, Perl, and Python. For Ruby frameworks, File.expand_path can be used. GetFullPath() can be used on ASP.NET applications. getCanonicalPath() can be used in Java code. Additional protection against unauthorized access to filesystem resources can be obtained by using chroot() or similar mechanisms to limit filesystem access to the web application and http server process, although this can be difficult to manage. Local file include is a type of vulnerability that occurs when the web application uses externally-supplied input to specify the location of a resource that it is requesting from the local filesystem. The vulnerability often manifests itself when malicious users embed path parts such as "../" (on UNIX systems) to refer to resources relative to a parent directory. This is commonly known as a "directory traversal" or "path traversal" vulnerability as the application uses the externally-supplied input to construct the path to the local filesystem resource. However, other variations exist that may allow an attacker to request the file by an absolute path or otherwise request files that were not intended to be exposed to users of the web application. Directory Traversal (Wikipedia) Path Traversal (OWASP) Avoiding Path Traversal (OWASP)