Path Equivalence: 'fakedir/../realdir/filename'
Incomplete Variant
Structure: Simple
Description
The product contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/../realdir/filename' that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file.
Common Consequences 1
Scope: ConfidentialityIntegrity
Impact: Read Files or DirectoriesModify Files or Directories
Potential Mitigations 1
Phase: Implementation
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (Incorrect Behavior Order: Validate Before Canonicalize). Make sure that the application does not decode the same input twice (Double Decoding of the Same Data). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Observed Examples 3
CVE-2001-1152Proxy allows remote attackers to bypass denylist restrictions and connect to unauthorized web servers by modifying the requested URL, including (1) a // (double slash), (2) a /SUBDIR/.. where the desired file is in the parentdir, (3) a /./, or (4) URL-encoded characters.
CVE-2000-0191application check access for restricted URL before canonicalization
CVE-2005-1366CGI source disclosure using "dirname/../cgi-bin"
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Functional Areas
- File Processing
Affected Resources
- File or Directory
Related Weaknesses
Taxonomy Mapping
- PLOVER
- Software Fault Patterns
Notes
TheoreticalThis is a manipulation that uses an injection for one consequence (containment violation using relative path) to achieve a different consequence (equivalence by alternate name).