CWE - CWE-57: Path Equivalence: 'fakedir/../realdir/filename' (2.11)

Weakness ID: 57

Abstraction: Variant

Status: Incomplete

Presentation Filter:

Description

Description Summary

The software contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/../realdir/filename' that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file.

Time of Introduction

Implementation

Applicable Platforms

Languages

All

Common Consequences

Scope	Effect
Confidentiality Integrity	Technical Impact: Read files or directories; Modify files or directories

Observed Examples

Reference	Description
CVE-2001-1152	Proxy allows remote attackers to bypass blacklist restrictions and connect to unauthorized web servers by modifying the requested URL, including (1) a // (double slash), (2) a /SUBDIR/.. where the desired file is in the parentdir, (3) a /./, or (4) URL-encoded characters.
CVE-2000-0191	application check access for restricted URL before canonicalization
CVE-2005-1366	CGI source disclosure using "dirname/../cgi-bin"

Potential Mitigations

Phase: Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass whitelist validation schemes by introducing dangerous inputs after they have been checked.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Base	41	Improper Resolution of Path Equivalence	Development Concepts (primary)699 Research Concepts (primary)1000
ChildOf	Category	981	SFP Secondary Cluster: Path Traversal	Software Fault Pattern (SFP) Clusters (primary)888

Theoretical Notes

This is a manipulation that uses an injection for one consequence (containment violation using relative path) to achieve a different consequence (equivalence by alternate name).

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			dirname/fakechild/../realchild/filename
Software Fault Patterns	SFP16		Path Traversal

Content History

Submissions
Submission Date	Submitter	Organization	Source
	PLOVER		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time_of_Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Relationships, Other_Notes, Taxonomy_Mappings
2008-10-14	CWE Content Team	MITRE	Internal
2008-10-14	updated Description, Name, Observed_Examples, Other_Notes, Theoretical_Notes
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Common_Consequences
2012-05-11	CWE Content Team	MITRE	Internal
2012-05-11	updated Observed_Examples, Relationships
2012-10-30	CWE Content Team	MITRE	Internal
2012-10-30	updated Potential_Mitigations
2014-07-30	CWE Content Team	MITRE	Internal
2014-07-30	updated Relationships, Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2008-04-11	Path Issue - dirname/fakechild/../realchild/filename

2008-10-14	Path Equivalence: 'dirname/fakechild/../realchild/filename'


	Use of the Common Weakness Enumeration and the associated references from this website are subject to the Terms of Use. For more information, please email cwe@mitre.org. CWE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2006-2017, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.	Privacy policy Terms of use Contact us

Common Weakness Enumeration

CWE-57: Path Equivalence: 'fakedir/../realdir/filename'