Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-69: Improper Handling of Windows ::DATA Alternate Data Stream

Weakness ID: 69
Abstraction: Variant
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The software does not properly prevent access to, or detect usage of, alternate data streams (ADS).

Extended Description

An attacker can use an ADS to hide information about a file (e.g. size, the name of the process) from a system or file browser tools such as Windows Explorer and 'dir' at the command line utility. Alternately, the attacker might be able to bypass intended access restrictions for the associated data fork.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



Operating Systems


+ Common Consequences
Access Control

Technical Impact: Bypass protection mechanism; Hide activities; Other

+ Observed Examples
In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.
Product does not properly record file sizes if they are stored in alternative data streams, which allows users to bypass quota restrictions.
+ Potential Mitigations

Phase: Testing

Software tools are capable of finding ADSs on your system.

Phase: Implementation

Ensure that the source code correctly parses the filename to read or write to the correct stream.

+ Background Details

Alternate data streams (ADS) were first implemented in the Windows NT operating system to provide compatibility between NTFS and the Macintosh Hierarchical File System (HFS). In HFS, data and resource forks are used to store information about a file. The data fork provides information about the contents of the file while the resource fork stores metadata such as file type.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base66Improper Handling of File Names that Identify Virtual Resources
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory68Windows Virtual File Problems
Resource-specific Weaknesses631
Development Concepts699
ChildOfCategoryCategory634Weaknesses that Affect System Processes
Resource-specific Weaknesses (primary)631
ChildOfCategoryCategory904SFP Primary Cluster: Malware
Software Fault Pattern (SFP) Clusters (primary)888
+ Theoretical Notes

This and similar problems exist because the same resource can have multiple identifiers that dictate which behavior can be performed on the resource.

+ Affected Resources
  • System Process
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERWindows ::DATA alternate data stream
+ References
Don Parker. "Windows NTFS Alternate Data Streams". 2005-02-16. <>.
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". 2nd Edition. Microsoft. 2003.
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable_Platforms, Background_Details, Description, Relationships, Other_Notes, References, Taxonomy_Mappings
2008-10-14CWE Content TeamMITREInternal
updated Description
2009-10-29CWE Content TeamMITREInternal
updated Other_Notes, Theoretical_Notes
2010-04-05CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2010-12-13CWE Content TeamMITREInternal
updated Name
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Observed_Examples, References, Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Windows ::DATA Alternate Data Stream
2010-12-13Failure to Handle Windows ::DATA Alternate Data Stream

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017