|
|
|
|
CWE-22 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 22 (Weakness Class) | | Description | Summary The software, when constructing file or directory names from input, does not properly
sanitize special character sequences that resolve to a file or directory name that is outside of
the intended directory or directories. | | Alternate Terms | Directory traversal "Path traversal" is preferred over "directory traversal." Like other Weaknesses, terminology is often based on the types of manipulations used,
instead of the underlying Weaknesses. Some people use "directory traversal" only to refer to the injection of ".." and
equivalent sequences whose specific meaning is to traverse directories. Other variants like
"absolute pathname" and "drive letter" have the *effect* of directory traversal, but some people
may not call it such, since it doesn't involve ".." or equivalent. | | Functional Area | File processing | | Weakness Ordinality | Primary (Weakness exists independent of other weaknesses) | | Causal Nature | Explicit (This is an explicit weakness resulting from behavior of the developer) | | Affected Resource | File/Directory | | Potential Mitigations | Assume all input is malicious. Attackers can insert paths into input vectors and
traverse the file system. Use an appropriate combination of black lists and white lists to
ensure only valid and expected input is processed by the system. Warning: if you attempt to
cleanse your data, then do so that the end result is not in the form that can be dangerous. A
sanitizing mechanism can remove characters such as ‘.' and ‘;' which may be required for some
exploits. An attacker can try to fool the sanitizing mechanism into "cleaning" data into a
dangerous form. Suppose the attacker injects a ‘.' inside a filename (e.g. "sensi.tiveFile")
and the sanitizing mechanism removes the character resulting in the valid filename,
"sensitiveFile". If the input data are now assumed to be safe, then the file may be
compromised. | | Context Notes | Pathname equivalence can be regarded as a type of canonicalization error. Some pathname equivalence issues are not directly related to directory traversal,
rather are used to bypass security-relevant checks for whether a file/directory can be accessed by
the attacker (e.g. a trailing "/" on a filename could bypass access rules that don't expect a
trailing /, causing a server to provide the file when it normally would not). Incomplete diagnosis or reporting of vulnerabilities can make it difficult to know
which variant is affected. For example, a researcher might say that "..\" is vulnerable, but not
test "../" which may also be vulnerable. Any combination of the items below can provide its own variant, e.g. "//../" is not
listed (CVE-2004-0325). | | Research Gaps | Most of these issues are probably under-studied | | Relationships | | | Source Taxonomies | PLOVER - Path Traversal | | Applicable Platforms | All | | Related Attack Patterns | | CAPEC-ID | Attack Pattern Name |
|---|
| 76 | Manipulating Input to File System Calls | | 23 | File System Function Injection, Content Based |
|
|