Path Equivalence: 'file name' (Internal Whitespace)
Weakness ID: 48 (Weakness Variant)Status: Incomplete
+ Description

Description Summary

A software system that accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
+ Time of Introduction
  • Implementation
+ Applicable Platforms



+ Observed Examples
CVE-2000-0293Filenames with spaces allow arbitrary file deletion when the product does not properly quote them; some overlap with path traversal.
CVE-2001-1567"+" characters in query string converted to spaces before sensitive file/extension (internal space), leading to bypass of access restrictions to the file.
+ Potential Mitigations

see the vulnerability category "Path Equivalence"

+ Other Notes

This is not necessarily an equivalence issue, but it can also be used to spoof icons or conduct information hiding via information truncation (see user interface errors).

This weakness is likely to overlap quoting problems, e.g. the "Program Files" untrusted search path variants. It also could be an equivalence issue if filtering removes all extraneous spaces.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base41Improper Resolution of Path Equivalence
Development Concepts (primary)699
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERfile(SPACE)name (internal space)
OWASP Top Ten 2004A9CWE More SpecificDenial of Service
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, Taxonomy Mappings
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Path Issue - Internal Space - file(SPACE)name