2021年12月16日16:30:40评论62 views字数 2184阅读7分16秒阅读模式

CWE-46 路径等价：'filename'(结尾空格)

Path Equivalence: 'filename ' (Trailing Space)

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown

基本描述

A software system that accepts path input in the form of trailing space ('filedir ') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围	影响	注释
['Confidentiality', 'Integrity']	['Read Files or Directories', 'Modify Files or Directories']

分析过的案例

标识	说明	链接
CVE-2001-0693	Source disclosure via trailing encoded space "%20"	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0693
CVE-2001-0778	Source disclosure via trailing encoded space "%20"	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0778
CVE-2001-1248	Source disclosure via trailing encoded space "%20"	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1248
CVE-2004-0280	Source disclosure via trailing encoded space "%20"	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0280
CVE-2004-2213	Source disclosure via trailing encoded space "%20"	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2213
CVE-2005-0622	Source disclosure via trailing encoded space "%20"	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0622
CVE-2005-1656	Source disclosure via trailing encoded space "%20"	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1656
CVE-2002-1603	Source disclosure via trailing encoded space "%20"	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1603
CVE-2001-0054	Multi-Factor Vulnerability (MVF). directory traversal and other issues in FTP server using Web encodings such as "%20"; certain manipulations have unusual side effects.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0054
CVE-2002-1451	Trailing space ("+" in query string) leads to source code disclosure.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1451

分类映射

映射的分类名	ImNode ID	Fit	Mapped Node Name
PLOVER			Trailing Space - 'filedir '
Software Fault Patterns	SFP16		Path Traversal

CWE-46 路径等价：'filename'(结尾空格)

CWE-46 路径等价：'filename'(结尾空格)

Path Equivalence: 'filename ' (Trailing Space)

基本描述

相关缺陷

适用平台

常见的影响

分析过的案例

分类映射

相关攻击模式

View-999: Weaknesses without Software Fault Patterns

View-884: CWE Cross-section

View-868: Weaknesses Addressed by the SEI CERT C++ Coding Standard (2016 Version)

View-844: Weaknesses Addressed by The CERT Oracle Secure Coding Standard for Java (2011)

View-809: Weaknesses in OWASP Top Ten (2010)

View-800: Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors

View-750: Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors

View-734: Weaknesses Addressed by the CERT C Secure Coding Standard (2008)

View-711: Weaknesses in OWASP Top Ten (2004)

View-709: Named Chains

发表评论

在线咨询

微信