CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-49: Path Equivalence: 'filename/' (Trailing Slash)

Weakness ID: 49
Abstraction: Variant
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

A software system that accepts path input in the form of trailing slash ('filedir/') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
+ Time of Introduction
  • Implementation
  • Operation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Confidentiality
Integrity

Technical Impact: Read files or directories; Modify files or directories

+ Observed Examples
ReferenceDescription
Overlaps infoleak
Application server allows remote attackers to read source code for .jsp files by appending a / to the requested URL.
Bypass Basic Authentication for files using trailing "/"
Read sensitive files with trailing "/"
Web server allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /.
Directory traversal vulnerability in server allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request.
Source code disclosure
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base41Improper Resolution of Path Equivalence
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfWeakness VariantWeakness Variant162Improper Neutralization of Trailing Special Elements
Research Concepts1000
ChildOfCategoryCategory981SFP Secondary Cluster: Path Traversal
Software Fault Pattern (SFP) Clusters (primary)888
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERfiledir/ (trailing slash, trailing /)
Software Fault PatternsSFP16Path Traversal
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2008-11-24CWE Content TeamMITREInternal
updated Observed_Examples
2010-12-13CWE Content TeamMITREInternal
updated Observed_Examples
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Observed_Examples, Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Path Issue - Trailing Slash - filedir/

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017