CWE
Home > CWE List > CWE-41 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-41 Individual Dictionary Definition (Draft 9)

Failure to Resolve Path Equivalence
Weakness ID
Status: Incomplete

41 (Weakness Class)

Description

Summary

The system or application is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object. Path equivalence is usually employed in order to circumvent access controls expressed using an incomplete set of file name or file path representations. This is different from path traversal, wherein the manipulations are performed to generate a name for a different object.

Affected Resource

File/Directory

Potential Mitigations

Assume all input is malicious. Attackers can insert special characters into resources (e.g. filenames) to disguise their input. Use an appropriate combination of black lists and white lists to ensure only valid and expected input is processed by the system. Warning: if you attempt to cleanse your data, then do so that the end result is not in the form that can be dangerous. A sanitizing mechanism can remove characters such as ‘.' and ‘;' which may be required for some exploits. An attacker can try to fool the sanitizing mechanism into "cleaning" data into a dangerous form. Suppose the attacker injects a ‘.' inside a filename (e.g. "sensi.tiveFile") and the sanitizing mechanism removes the character resulting in the valid filename, "sensitiveFile". If the input data are now assumed to be safe, then the file may be compromised.

Context Notes

Some of these manipulations could be effective in path traversal issues, too.

Relationships
NatureTypeIDName
ChildOfWeakness ClassWeakness ClassWeakness Class21Pathname Traversal and Equivalence Errors
ChildOfCategoryCategory632Weaknesses that Affect Files or Directories
ParentOfWeakness VariantWeakness VariantWeakness Variant42Path Equivalence: 'filename.' (Trailing Dot)
ParentOfWeakness VariantWeakness VariantWeakness Variant44Path Equivalence: 'file.name' (Internal Dot)
ParentOfWeakness VariantWeakness VariantWeakness Variant46Path Equivalence: 'filename ' (Trailing Space)
ParentOfWeakness VariantWeakness VariantWeakness Variant47Path Equivalence: ' filename (Leading Space)
ParentOfWeakness VariantWeakness VariantWeakness Variant48Path Equivalence: 'file name' (Internal Whitespace)
ParentOfWeakness VariantWeakness VariantWeakness Variant49Path Equivalence: 'filename/' (Trailing Slash)
ParentOfWeakness VariantWeakness VariantWeakness Variant50Path Equivalence: '//multiple/leading/slash'
ParentOfWeakness VariantWeakness VariantWeakness Variant51Path Equivalence: '/multiple//internal/slash'
ParentOfWeakness VariantWeakness VariantWeakness Variant52Path Equivalence: '/multiple/trailing/slash//'
ParentOfWeakness VariantWeakness VariantWeakness Variant53Path Equivalence: '\multiple\\internal\backslash'
ParentOfWeakness VariantWeakness VariantWeakness Variant54Path Equivalence: 'filedir\' (Trailing Backslash)
ParentOfWeakness VariantWeakness VariantWeakness Variant55Path Equivalence: '/./' (Single Dot Directory)
ParentOfWeakness VariantWeakness VariantWeakness Variant56Path Equivalence: 'filedir*' (Wildcard)
ParentOfWeakness VariantWeakness VariantWeakness Variant57Path Equivalence: 'dirname/fakechild/../realchild/filename'
ParentOfWeakness VariantWeakness VariantWeakness Variant58Path Equivalence: Windows 8.3 Filename
Source Taxonomies

PLOVER - Path Equivalence

Applicable Platforms

All

Related Attack Patterns
CAPEC-IDAttack Pattern Name
3Using Leading 'Ghost' Character Sequences to Bypass Input Filters
4Using Alternative IP Address Encodings
Back to top
Page Last Updated: April 22, 2008
 

CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us