Pathname Traversal and Equivalence Errors
Category ID: 21 (Category)Status: Incomplete
+ Description

Description Summary

Weaknesses in this category can be used to access files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence).

Extended Description

Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered. The manipulations generally involve special characters or sequences in pathnames, or the use of alternate references or channels.

+ Applicable Platforms



+ Potential Mitigations

Assume all input is malicious. Use an appropriate combination of black lists and white lists to ensure only valid and expected input is processed by the system.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class20Improper Input Validation
Development Concepts (primary)699
ParentOfWeakness ClassWeakness Class22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base41Improper Resolution of Path Equivalence
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base59Improper Link Resolution Before File Access ('Link Following')
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base66Improper Handling of File Names that Identify Virtual Resources
Development Concepts (primary)699
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERPathname Traversal and Equivalence Errors
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
64Using Slashes and URL Encoding Combined to Bypass Validation Logic
72URL Encoding
78Using Escaped Slashes in Alternate Encoding
79Using Slashes in Alternate Encoding
80Using UTF-8 Encoding to Bypass Validation Logic
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings, Type
2008-10-14CWE Content TeamMITREInternal
updated Description