Absolute Path Traversal| ID: 36 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
The software uses external input to construct a pathname that
should be within a restricted directory, but it does not properly neutralize
absolute path sequences such as "/abs/path" that can resolve to a location that
is outside of that directory.
Extended DescriptionThis allows attackers to traverse the file system to access files or
directories that are outside of the restricted directory.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| IntegrityConfidentialityAvailability | Execute unauthorized code or
commands | The attacker may be able to create or overwrite critical files that
are used to execute code, such as programs or libraries. |
| Integrity | Modify files or
directories | The attacker may be able to overwrite or create critical files, such
as programs, libraries, or important data. If the targeted file is used
for a security mechanism, then the attacker may be able to bypass that
mechanism. For example, appending a new account at the end of a password
file may allow an attacker to bypass authentication. |
| Confidentiality | Read files or
directories | The attacker may be able read the contents of unexpected files and
expose sensitive data. If the targeted file is used for a security
mechanism, then the attacker may be able to bypass that mechanism. For
example, by reading a password file, the attacker could conduct brute
force password guessing attacks in order to break into an account on the
system. |
| Availability | DoS: crash / exit /
restart | The attacker may be able to overwrite, delete, or corrupt unexpected
critical files such as programs, libraries, or important data. This may
prevent the software from working at all and in the case of a protection
mechanisms such as authentication, it has the potential to lockout every
user of the software. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| | | see "Path Traversal" (CWE-22) | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-36 ChildOf CWE-893 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the example below, the path to a dictionary file is read from a
system property and used to initialize a File object. (Demonstrative Example Id DX-18)
- The following code demonstrates the unrestricted upload of a file
with a Java servlet and a path traversal vulnerability. The action attribute
of an HTML form is sending the upload file request to the Java
servlet. (Demonstrative Example Id DX-22)
Observed Examples
- CVE-2002-1345 : Multiple FTP clients write arbitrary files via absolute paths in server responses
- CVE-2001-1269 : ZIP file extractor allows full path
- CVE-2002-1818 : Path traversal using absolute pathname
- CVE-2002-1913 : Path traversal using absolute pathname
- CVE-2005-2147 : Path traversal using absolute pathname
- CVE-2000-0614 : Arbitrary files may be overwritten via compressed attachments that specify absolute path names for the decompressed output.
- CVE-1999-1263 : Mail client allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified.
- CVE-2003-0753 : Remote attackers can read arbitrary files via a full pathname to the target file in config parameter.
- CVE-2002-1525 : Remote attackers can read arbitrary files via an absolute pathname.
- CVE-2001-0038 : Remote attackers can read arbitrary files by specifying the drive letter in the requested URL.
- CVE-2001-0255 : FTP server allows remote attackers to list arbitrary directories by using the "ls" command and including the drive letter name (e.g. C:) in the requested pathname.
- CVE-2001-0933 : FTP server allows remote attackers to list the contents of arbitrary drives via a ls command that includes the drive letter as an argument.
- CVE-2002-0466 : Server allows remote attackers to browse arbitrary directories via a full pathname in the arguments to certain dynamic pages.
- CVE-2002-1483 : Remote attackers can read arbitrary files via an HTTP request whose argument is a filename of the form "C:" (Drive letter), "//absolute/path", or ".." .
- CVE-2004-2488 : FTP server read/access arbitrary files using "C:\" filenames
- CVE-2001-0687 : FTP server allows a remote attacker to retrieve privileged web server system information by specifying arbitrary paths in the UNC format (\\computername\sharename).
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Absolute Path Traversal | |
References:
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 9, "Filenames and Paths", Page
503.'. Published on 2006.
