|
|
Status: Incomplete Weakness ID: 72 (Weakness Variant)Description Summary The software does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system. Extended Description If the software chooses actions to take based on the file name, then if an attacker provides the data or resource fork, the software may take unexpected actions. Further, if the software intends to restrict access to a file, then an attacker might still be able to bypass intended access restrictions by requesting the data or resource fork for that file. Demonstrative Examples A web server that interprets FILE.cgi as processing instructions could disclose the source code for FILE.cgi by requesting FILE.cgi/..namedfork/data. This might occur because the web server invokes the default handler which may return the contents of the file. Observed Examples
Other Notes Fault: multiple identifiers, non-atomic object Background Details The Apple HFS+ file system permits files to have multiple data input streams, accessible through special paths. The Mac OS X operating system provides a way to access the different data input streams through special paths and as an extended attribute: - Resource fork: file/..namedfork/rsrc, file/rsrc (deprecated), xattr:com.apple.ResourceFork - Data fork: file/..namedfork/data (only versions prior to Mac OS X v10.5) Additionally, on filesystems that lack native support for multiple streams, the resource fork and file metadata may be stored in a file with "._" prepended to the name. Forks can also be accessed through non-portable APIs. Forks inherit the file system access controls of the file they belong to. Programs need to control access to these paths, if the processing of a file system object is dependent on the structure of its path. Research Gaps Under-studied References Apple Inc.. <http:/ Relationships
Taxonomy Mappings
Applicable Platforms Languages All Operating Systems Mac OS Time of Introduction  Architecture and Design ImplementationContent History Submissions PLOVER. (Externally Mined) Modifications Eric Dalci. Cigital. 2008-07-01. (External) updated Time_of_Introduction CWE Content Team. MITRE. 2008-09-08. (Internal) updated Relationships, Other_Notes, Taxonomy_Mappings David Remahl. Apple. 2008-11-05. (External) clarified description, provided background details, and added demonstrative example CWE Content Team. MITRE. 2008-11-24. (Internal) updated Applicable_Platforms, Background_Details, Demonstrative_Examples, Description, Name, References Previous Entry Names Apple HFS+ Alternate Data Stream (changed 2008-11-24) |
|
|
|||
