Improper Link Resolution Before File Access ('Link Following') Status: Draft Weakness ID: 59 (Weakness Base)Summary The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. insecure temporary file Some people use the phrase "insecure temporary file" when referring to a link following weakness, but other weaknesses can produce insecure temporary files without any symlink involvement at all. Follow the principle of least privilege when assigning access rights to files. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted. Windows soft links can be exploited remotely since a ".LNK" file can be uploaded like a normal file. Resultant (where the weakness
is typically related to the presence of some other
weaknesses)
Link following vulnerabilities are Multi-factor Vulnerabilities (MFV). They are the combination of multiple elements: file or directory permissions, filename predictability, race conditions, and in some cases, a design limitation in which there is no mechanism for performing atomic file creation operations. Some potential factors are race conditions, permissions, and predictability.
Submissions PLOVER. (Externally Mined) Modifications Eric Dalci. Cigital. 2008-07-01. (External) updated Time_of_Introduction CWE Content Team. MITRE. 2008-09-08. (Internal) updated Alternate_Terms, Applicable_Platforms,
Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings,
Weakness_Ordinalities CWE Content Team. MITRE. 2008-11-24. (Internal) updated Relationships,
Taxonomy_Mappings CWE Content Team. MITRE. 2009-01-12. (Internal) updated Relationships CWE Content Team. MITRE. 2009-05-27. (Internal) updated Description, Name Previous Entry Names Link
Following (changed
2008-04-11) Failure to Resolve Links
Before File Access (aka 'Link
Following') (changed
2009-05-27) |
|
Page Last Updated:
May 26, 2009
|
|
CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Contact cwe@mitre.org for more information. |
|||
