CWE-73: External Control of File Name or Path

Description

The product allows user input to control or influence paths or file names that are used in filesystem operations.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-10-26 00:00:00+00:00

Organization :

MITRE
Extended Description

This could allow an attacker to access or modify system files or other files that are critical to the application.

Path manipulation errors occur when the following two conditions are met:

1. An attacker can specify a path used in an operation on the filesystem.
2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted.

For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.

Example Vulnerable Codes

Example - 1

The following code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files (CWE-22).


String rName = request.getParameter("reportName");File rFile = new File("/usr/local/apfr/reports/" + rName);...rFile.delete();

Example - 2

The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt.


fis = new FileInputStream(cfg.getProperty("sub")+".txt");amt = fis.read(arr);out.println(arr);

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-20: Improper Input Validation
Go to
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Go to
CWE-41: Improper Resolution of Path Equivalence
Go to
CWE-59: Improper Link Resolution Before File Access ('Link Following')
Go to
CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Go to
CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
Go to
CWE-114: Process Control
Go to
CWE-434: Unrestricted Upload of File with Dangerous Type
Go to
CWE-610: Externally Controlled Reference to a Resource in Another Sphere
Go to
CWE-642: External Control of Critical State Data
Go to

Visit http://cwe.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Nov. 23, 2024 8:06
Theme Customizer
Layout

Choose your layout

Vertical
Horizontal
Two Column
Color Scheme

Choose Light or Dark Scheme.

Light
Dark
Layout Width

Choose Fluid or Boxed layout.

Fluid
Boxed
Layout Position

Choose Fixed or Scrollable Layout Position.

Topbar Color

Choose Light or Dark Topbar Color.

Light
Dark
Preloader

Choose a preloader.

Enable
Disable
Buy Now