Path Traversal: 'dir\..\..\filename' |
| Weakness ID: 31 (Weakness Variant) | Status: Draft |
DescriptionDescription Summary
Extended Description
This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
The 'dir\..\..\filename' manipulation is useful for bypassing some path traversal protection schemes. Sometimes a program only removes one "..\" sequence, so multiple "..\" can bypass that check. Alternately, this manipulation could be used to bypass a check for "..\" at the beginning of the pathname, moving up more than one directory level.
Time of Introduction- Implementation
Applicable PlatformsLanguages
All
Operating Systems
Windows
Observed Examples| Reference | Description |
|---|---|
| CVE-2002-0160 |
Potential MitigationsAssume all input is malicious. Attackers can insert paths into input vectors and traverse the file system. Use an appropriate combination of black lists and white lists to ensure only valid and expected input is processed by the system. Warning: if you attempt to cleanse your data, then do so that the end result is not in the form that can be dangerous. A sanitizing mechanism can remove characters such as '.' and ';' which may be required for some exploits. An attacker can try to fool the sanitizing mechanism into "cleaning" data into a dangerous form. Suppose the attacker injects a '.' inside a filename (e.g. "sensi.tiveFile") and the sanitizing mechanism removes the character resulting in the valid filename, "sensitiveFile". If the input data are now assumed to be safe, then the file may be compromised. See CWE-182 (Collapse of Data Into Unsafe Value). |
Phase: Architecture and Design Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data to be displayed or stored. Use an "accept known good" validation strategy. Input (specifically, unexpected CRLFs) that is not appropriate should not be processed into HTTP headers. |
Use and specify a strong input/output encoding (such as ISO 8859-1 or UTF 8). |
Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants. |
Inputs should be decoded and canonicalized to the application's current internal representation before being validated. Make sure that your application does not decode the same input twice. Such errors could be used to bypass whitelist schemes by introducing dangerous inputs after they have been checked. |
Relationships| Nature | Type | ID | Name | View(s) this relationship pertains to |
|---|---|---|---|---|
| ChildOf |  Weakness Base | 23 | Relative Path Traversal | Development Concepts (primary)699 Research Concepts (primary)1000 |
Taxonomy Mappings| Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | 8 - 'directory\..\..\filename |
Content History| Submissions | ||||
|---|---|---|---|---|
| Submission Date | Submitter | Organization | Source | |
| PLOVER | Externally Mined | |||
| Modifications | ||||
| Modification Date | Modifier | Organization | Source | |
| 2008-07-01 | Eric Dalci | Cigital | External | |
| updated Potential Mitigations, Time of Introduction | ||||
| 2008-09-08 | CWE Content Team | MITRE | Internal | |
| updated Relationships, Taxonomy Mappings | ||||
| 2008-10-10 | CWE Content Team | MITRE | Internal | |
| fixed incorrect manipulation in name (desc was correct). | ||||
| 2008-10-14 | CWE Content Team | MITRE | Internal | |
| updated Applicable Platforms, Description | ||||
| 2009-07-27 | CWE Content Team | MITRE | Internal | |
| updated Potential Mitigations | ||||
| Previous Entry Names | ||||
| Change Date | Previous Entry Name | |||
| 2008-04-11 | Path Issue - Directory Doubled Dot Dot Backslash - 'directory\..\..\filename' | |||
| 2008-10-14 | Path Traversal: 'dir\..\filename' | |||
