CWE-49 路径等价：'filename/'(尾部斜杠)

Path Equivalence: 'filename/' (Trailing Slash)

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown

基本描述

A software system that accepts path input in the form of trailing slash ('filedir/') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 41 cwe_View_ID: 1000 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 41 cwe_View_ID: 699 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 162 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围	影响	注释
['Confidentiality', 'Integrity']	['Read Files or Directories', 'Modify Files or Directories']

分析过的案例

标识	说明	链接
CVE-2002-0253	Overlaps infoleak	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0253
CVE-2001-0446	Application server allows remote attackers to read source code for .jsp files by appending a / to the requested URL.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0446
CVE-2004-0334	Bypass Basic Authentication for files using trailing "/"	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0334
CVE-2001-0893	Read sensitive files with trailing "/"	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0893
CVE-2001-0892	Web server allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0892
CVE-2004-1814	Directory traversal vulnerability in server allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1814
BID:3518	Source code disclosure	http://www.securityfocus.com/bid/3518

分类映射

映射的分类名	ImNode ID	Fit	Mapped Node Name
PLOVER			filedir/ (trailing slash, trailing /)
Software Fault Patterns	SFP16		Path Traversal

文章来源于互联网:scap中文网