Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-55:Path Equivalence: '/./' (Single Dot Directory)
Weakness ID:55
Version:v4.17
Weakness Name:Path Equivalence: '/./' (Single Dot Directory)
Vulnerability Mapping:Allowed
Abstraction:Variant
Structure:Simple
Status:Incomplete
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product accepts path input in the form of single dot directory exploit ('/./') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

▼Extended Description

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowedB41Improper Resolution of Path Equivalence
Nature: ChildOf
Mapping: Allowed
Type: Base
ID: 41
Name: Improper Resolution of Path Equivalence
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC981SFP Secondary Cluster: Path Traversal
MemberOfProhibitedC1404Comprehensive Categorization: File Handling
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 981
Name: SFP Secondary Cluster: Path Traversal
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1404
Name: Comprehensive Categorization: File Handling
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-279Input Validation Strategy
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-319Read Files or Directories (impact)
MemberOfProhibitedBSBOSS-320Modify Files or Directories (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-279
Name: Input Validation Strategy
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-319
Name: Read Files or Directories (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-320
Name: Modify Files or Directories (impact)
▼Relevant To View
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC981SFP Secondary Cluster: Path Traversal
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 981
Name: SFP Secondary Cluster: Path Traversal
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
ConfidentialityIntegrityN/ARead Files or DirectoriesModify Files or Directories
N/A
Scope: Confidentiality, Integrity
Likelihood: N/A
Impact: Read Files or Directories, Modify Files or Directories
Note:
N/A
▼Potential Mitigations
Phase:Implementation
Mitigation ID: MIT-20
Strategy: Input Validation
Effectiveness:
Description:

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Note:

▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
▼Demonstrative Examples
▼Observed Examples
ReferenceDescription
CVE-2000-0004
Server allows remote attackers to read source code for executable files by inserting a . (dot) into the URL.
CVE-2002-0304
Server allows remote attackers to read password-protected files via a /./ in the HTTP request.
CVE-1999-1083
Possibly (could be a cleansing error)
CVE-2004-0815
"/./////etc" cleansed to ".///etc" then "/etc"
CVE-2002-0112
Server allows remote attackers to view password protected files via /./ in the URL.
Reference: CVE-2000-0004
Description:
Server allows remote attackers to read source code for executable files by inserting a . (dot) into the URL.
Reference: CVE-2002-0304
Description:
Server allows remote attackers to read password-protected files via a /./ in the HTTP request.
Reference: CVE-1999-1083
Description:
Possibly (could be a cleansing error)
Reference: CVE-2004-0815
Description:
"/./////etc" cleansed to ".///etc" then "/etc"
Reference: CVE-2002-0112
Description:
Server allows remote attackers to view password protected files via /./ in the URL.
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      PLOVERN/AN/A/./ (single dot directory)
      Software Fault PatternsSFP16N/APath Traversal
      Taxonomy Name: PLOVER
      Entry ID: N/A
      Fit: N/A
      Entry Name: /./ (single dot directory)
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP16
      Fit: N/A
      Entry Name: Path Traversal
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found