CWE
Home > CWE List > CWE-73 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-73 Individual Dictionary Definition (Draft 9)

External Control of File Name or Path
Weakness ID
Status: Draft

73 (Weakness Class)

Description

Summary

Allowing user input to control paths used in filesystem operations may enable an attacker to access or modify otherwise protected system resources.

Likelihood of Exploit

High to Very High

Weakness Ordinality

Resultant (Weakness is typically related to the presence of some other weaknesses)

Causal Nature

Explicit (This is an explicit weakness resulting from behavior of the developer)

Demonstrative
Examples

The following code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files.

String rName = request.getParameter("reportName");
File rFile = new File("/usr/local/apfr/reports/" + rName);
...
rFile.delete();


The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt.

fis = new FileInputStream(cfg.getProperty("sub")+".txt");
amt = fis.read(arr);
out.println(arr);

Context Notes

Path manipulation errors occur when the following two conditions are met: 1. An attacker can specify a path used in an operation on the filesystem. 2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.

Relationships
NatureTypeIDName
ChildOfWeakness ClassWeakness ClassWeakness Class21Pathname Traversal and Equivalence Errors
CanAlsoBeWeakness BaseWeakness BaseWeakness Base99Insufficient Control of Resource Identifiers (aka 'Resource Injection')
Source Taxonomies

7 Pernicious Kingdoms - Path Manipulation

Applicable Platforms

All

Related Attack Patterns
CAPEC-IDAttack Pattern Name
80Using UTF-8 Encoding to Bypass Validation Logic
79Using Slashes in Alternate Encoding
72URL Encoding
64Using Slashes and URL Encoding Combined to Bypass Validation Logic
13Subverting Environment Variable Values
76Manipulating Input to File System Calls
78Using Escaped Slashes in Alternate Encoding
Page Last Updated: April 22, 2008