Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-54:Path Equivalence: 'filedir\' (Trailing Backslash)
Weakness ID:54
Version:v4.17
Weakness Name:Path Equivalence: 'filedir\' (Trailing Backslash)
Vulnerability Mapping:Allowed
Abstraction:Variant
Structure:Simple
Status:Incomplete
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product accepts path input in the form of trailing backslash ('filedir\') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

▼Extended Description

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowedB41Improper Resolution of Path Equivalence
ChildOfAllowedV162Improper Neutralization of Trailing Special Elements
Nature: ChildOf
Mapping: Allowed
Type: Base
ID: 41
Name: Improper Resolution of Path Equivalence
Nature: ChildOf
Mapping: Allowed
Type: Variant
ID: 162
Name: Improper Neutralization of Trailing Special Elements
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC981SFP Secondary Cluster: Path Traversal
MemberOfProhibitedC1404Comprehensive Categorization: File Handling
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 981
Name: SFP Secondary Cluster: Path Traversal
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1404
Name: Comprehensive Categorization: File Handling
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-279Input Validation Strategy
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-319Read Files or Directories (impact)
MemberOfProhibitedBSBOSS-320Modify Files or Directories (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-279
Name: Input Validation Strategy
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-319
Name: Read Files or Directories (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-320
Name: Modify Files or Directories (impact)
▼Relevant To View
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC981SFP Secondary Cluster: Path Traversal
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 981
Name: SFP Secondary Cluster: Path Traversal
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
ConfidentialityIntegrityN/ARead Files or DirectoriesModify Files or Directories
N/A
Scope: Confidentiality, Integrity
Likelihood: N/A
Impact: Read Files or Directories, Modify Files or Directories
Note:
N/A
▼Potential Mitigations
Phase:Implementation
Mitigation ID: MIT-20
Strategy: Input Validation
Effectiveness:
Description:

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Note:

▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
▼Demonstrative Examples
▼Observed Examples
ReferenceDescription
CVE-2004-0847
web framework for .NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash)
CVE-2004-0061
Bypass directory access restrictions using trailing dot in URL
Reference: CVE-2004-0847
Description:
web framework for .NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash)
Reference: CVE-2004-0061
Description:
Bypass directory access restrictions using trailing dot in URL
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      PLOVERN/AN/Afiledir\ (trailing backslash)
      Software Fault PatternsSFP16N/APath Traversal
      Taxonomy Name: PLOVER
      Entry ID: N/A
      Fit: N/A
      Entry Name: filedir\ (trailing backslash)
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP16
      Fit: N/A
      Entry Name: Path Traversal
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found