Web applications often contain functions to read and write files. If these functions are buggy and an attacker can break out of the intended file directory this is called a “path traversal attack”.
Reading capabilities may allow an attacker to read critical data such as configuration files, passwords and databases. Write access may enable the creation or manipulation of web pages. In extreme cases system files could be overwritten.