Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-48:Path Equivalence: 'file name' (Internal Whitespace)
Weakness ID:48
Version:v4.17
Weakness Name:Path Equivalence: 'file name' (Internal Whitespace)
Vulnerability Mapping:Allowed
Abstraction:Variant
Structure:Simple
Status:Incomplete
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

▼Extended Description

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowedB41Improper Resolution of Path Equivalence
Nature: ChildOf
Mapping: Allowed
Type: Base
ID: 41
Name: Improper Resolution of Path Equivalence
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC981SFP Secondary Cluster: Path Traversal
MemberOfProhibitedC1404Comprehensive Categorization: File Handling
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 981
Name: SFP Secondary Cluster: Path Traversal
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1404
Name: Comprehensive Categorization: File Handling
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-319Read Files or Directories (impact)
MemberOfProhibitedBSBOSS-320Modify Files or Directories (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-319
Name: Read Files or Directories (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-320
Name: Modify Files or Directories (impact)
▼Relevant To View
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC981SFP Secondary Cluster: Path Traversal
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 981
Name: SFP Secondary Cluster: Path Traversal
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
ConfidentialityIntegrityN/ARead Files or DirectoriesModify Files or Directories
N/A
Scope: Confidentiality, Integrity
Likelihood: N/A
Impact: Read Files or Directories, Modify Files or Directories
Note:
N/A
▼Potential Mitigations
▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
▼Demonstrative Examples
▼Observed Examples
ReferenceDescription
CVE-2000-0293
Filenames with spaces allow arbitrary file deletion when the product does not properly quote them; some overlap with path traversal.
CVE-2001-1567
"+" characters in query string converted to spaces before sensitive file/extension (internal space), leading to bypass of access restrictions to the file.
Reference: CVE-2000-0293
Description:
Filenames with spaces allow arbitrary file deletion when the product does not properly quote them; some overlap with path traversal.
Reference: CVE-2001-1567
Description:
"+" characters in query string converted to spaces before sensitive file/extension (internal space), leading to bypass of access restrictions to the file.
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      Relationship

      This weakness is likely to overlap quoting problems, e.g. the "Program Files" unquoted search path (CWE-428). It also could be an equivalence issue if filtering removes all extraneous spaces.

      N/A

      Relationship

      Whitespace can be a factor in other weaknesses not directly related to equivalence. It can also be used to spoof icons or hide files with dangerous names (see icon manipulation and visual truncation in CWE-451).

      N/A

      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      PLOVERN/AN/Afile(SPACE)name (internal space)
      OWASP Top Ten 2004A9CWE More SpecificDenial of Service
      Software Fault PatternsSFP16N/APath Traversal
      Taxonomy Name: PLOVER
      Entry ID: N/A
      Fit: N/A
      Entry Name: file(SPACE)name (internal space)
      Taxonomy Name: OWASP Top Ten 2004
      Entry ID: A9
      Fit: CWE More Specific
      Entry Name: Denial of Service
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP16
      Fit: N/A
      Entry Name: Path Traversal
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found