CWE-59: Improper Link Resolution Before File Access ('Link Following')
Weakness ID: 59
Abstraction: Base Structure: Simple
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
Relevant to the view "Research Concepts" (CWE-1000)
The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the software life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.
REALIZATION: This weakness is caused during implementation of an architectural security tactic.
The listings below show possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.
The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Confidentiality Integrity Access Control
Technical Impact: Read Files or Directories; Modify Files or Directories; Bypass Protection Mechanism
An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.
Technical Impact: Execute Unauthorized Code or Commands
Windows simple shortcuts, sometimes referred to as soft links, can be exploited remotely since a ".LNK" file can be uploaded like a normal file. This can enable remote execution.
insecure temporary file:
Some people use the phrase "insecure temporary file" when referring to a link following weakness, but other weaknesses can produce insecure temporary files without any symlink involvement at all.
Browser allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.
Web server plugin allows local users to overwrite arbitrary files via a symlink attack on predictable temporary filenames.
Phase: Architecture and Design
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
(where the weakness is typically related to the presence of some other weaknesses)
Automated Static Analysis - Binary or Bytecode
According to SOAR, the following detection techniques may be useful:
This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.
Link following vulnerabilities are Multi-factor Vulnerabilities (MFV). They are
the combination of multiple elements: file or directory permissions, filename
predictability, race conditions, and in some cases, a design limitation in which
there is no mechanism for performing atomic file creation operations.
Some potential factors are race conditions, permissions, and
UNIX hard links, and Windows hard/soft links are under-studied and under-reported.
Mapped Taxonomy Name
Mapped Node Name
CERT C Secure Coding
Canonicalize path names originating from untrusted
CERT C Secure Coding
Check for the existence of links when dealing with
CERT Perl Secure Coding
CWE More Specific
Do not operate on files that can be modified by untrusted users