CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.1)  
Search by ID:

CWE-58: Path Equivalence: Windows 8.3 Filename

Individual Definition in a New Window
Path Equivalence: Windows 8.3 Filename
Status: Incomplete
Weakness ID: 58 (Weakness Variant)
Description
Summary

The software contains a protection mechanism that restricts access to a long filename on a Windows operating system, but the software does not properly restrict access to the equivalent short "8.3" filename.

Extended Description

On later Windows operating systems, a file can have a "long name" and a short name that is compatible with older Windows file systems, with up to 8 characters in the filename and 3 characters for the extension. These "8.3" filenames, therefore, act as an alternate name for files with long names, so they are useful pathname equivalence manipulations.

Functional Areas
* File processing
Potential Mitigations

Disable Windows from supporting 8.3 filenames by editing the Windows registry. Preventing 8.3 filenames will not remove previously generated 8.3 filenames.

Observed Examples
ReferenceDescription
Multiple web servers allow restriction bypass using 8.3 names instead of long names
Source code disclosure using 8.3 file name.
Multi-Factor Vulnerability. Product generates temporary filenames using long filenames, which become predictable in 8.3 format.
Research Gaps

Probably under-studied

References
M. Howard and D. LeBlanc. "Writing Secure Code". 2nd Edition. Microsoft. 2003.
Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness BaseWeakness Base41Failure to Resolve Path Equivalence
Development Concepts (primary)699
Research Concepts (primary)1000
Taxonomy Mappings
Mapped Taxonomy NameMapped Node Name
PLOVERWindows 8.3 Filename
Applicable Platforms
Languages
All
Operating Systems
Windows
Time of Introduction
* Implementation
Content History
Submissions
PLOVER. (Externally Mined)
Modifications
Eric Dalci. Cigital. 2008-07-01. (External)
updated Time_of_Introduction
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Applicable_Platforms, Relationships, Taxonomy_Mappings
CWE Content Team. MITRE. 2008-10-14. (Internal)
updated Description
Previous Entry Names
* Path Issue - Windows 8.3 Filename (changed 2008-04-11)
Page Last Updated: November 24, 2008