Compound Element ID: 61 (Compound Element Variant: Composite)
Status: Incomplete
Description
Description Summary
The software, when opening a file or directory, does not
sufficiently account for when the file is a symbolic link that resolves to a
target outside of the intended control sphere. This could allow an attacker to
cause the software to operate on unauthorized files.
Extended Description
A software system that allows UNIX symbolic links (symlink) as part of
paths whether in internal code or through user input can allow an attacker
to spoof the symbolic link and traverse the file system to unintended
locations or access arbitrary files. The symbolic link can permit an
attacker to read/write/corrupt a file that they originally did not have
permissions to access.
Setuid product allows file reading by replacing a
file being edited with a symlink to the targeted file, leaking the result in
error messages when parsing fails.
Symbolic link attacks often occur when a program creates a tmp
directory that stores files/links. Access to the directory should be
restricted to the program as to prevent attackers from manipulating the
files.
Follow the principle of least privilege when assigning access rights
to files. Denying access to a file can prevent an attacker from
replacing that file with a link to a sensitive file. Ensure good
compartmentalization in the system to provide protected areas that can
be trusted.
Symlink vulnerabilities are regularly found in C and shell programs, but
all programming languages can have this problem. Even shell programs are
probably under-reported.
"Second-order symlink vulnerabilities" may exist in programs that invoke
other programs that follow symlinks. They are rarely reported but are likely
to be fairly common when process invocation is used. Reference:
[Christey2005]
Description
