Relative Path Traversal |
Weakness ID: 23 (Weakness Base) | Status: Draft |
Description Summary
Extended Description
This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
Example 1
The following URLs are vulnerable to this attack:
A simple way to execute this attack is like this:
Example 2
The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The HTML code is the same as in the previous example with the action attribute of the form sending the upload file request to the Java servlet instead of the PHP code.
When submitted the Java servlet's doPost method will receive the request, extract the name of the file from the Http request header, read the file contents from the request and output the file to the local upload directory.
As with the previous example this code does not perform a check on the type of the file being uploaded. This could allow an attacker to upload any executable file or other file with malicious code.
Additionally, the creation of the BufferedWriter object is subject to relative path traversal (CWE-22, CWE-23). Depending on the executing environment, the attacker may be able to specify arbitrary files to write to, leading to a wide variety of consequences, from code execution, XSS (CWE-79), or system crash.
Assume all input is malicious. Attackers can insert paths into input vectors and traverse the file system. Use an appropriate combination of black lists and white lists to ensure only valid and expected input is processed by the system. Warning: if you attempt to cleanse your data, then do so that the end result is not in the form that can be dangerous. A sanitizing mechanism can remove characters such as '.' and ';' which may be required for some exploits. An attacker can try to fool the sanitizing mechanism into "cleaning" data into a dangerous form. Suppose the attacker injects a '.' inside a filename (e.g. "sensi.tiveFile") and the sanitizing mechanism removes the character resulting in the valid filename, "sensitiveFile". If the input data are now assumed to be safe, then the file may be compromised. See CWE-182 (Collapse of Data Into Unsafe Value). |
Phase: Architecture and Design Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data to be displayed or stored. Use an "accept known good" validation strategy. Input (specifically, unexpected CRLFs) that is not appropriate should not be processed into HTTP headers. |
Use and specify a strong input/output encoding (such as ISO 8859-1 or UTF 8). |
Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants. |
Inputs should be decoded and canonicalized to the application's current internal representation before being validated. Make sure that your application does not decode the same input twice. Such errors could be used to bypass whitelist schemes by introducing dangerous inputs after they have been checked. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 24 | Path Traversal: '../filedir' | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 25 | Path Traversal: '/../filedir' | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 26 | Path Traversal: '/dir/../filename' | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 27 | Path Traversal: 'dir/../../filename' | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 28 | Path Traversal: '..\filedir' | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 29 | Path Traversal: '\..\filename' | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 30 | Path Traversal: '\dir\..\filename' | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 31 | Path Traversal: 'dir\..\..\filename' | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 32 | Path Traversal: '...' (Triple Dot) | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 33 | Path Traversal: '....' (Multiple Dot) | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 34 | Path Traversal: '....//' | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 35 | Path Traversal: '.../...//' | Development Concepts (primary)699 Research Concepts (primary)1000 |
OWASP. "OWASP Attack listing". <http://www.owasp.org/index.php/Relative_Path_Traversal>. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated References, Demonstrative Example, Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, References, Taxonomy Mappings | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Description | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Potential Mitigations |