Description

The software defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

Related Weaknesses

CWE-863

Consequences

Access Control: Bypass Protection Mechanism

An attacker may be able to bypass the authorization mechanism to gain access to the otherwise-protected URL.

Confidentiality: Read Files or Directories

If a non-canonical URL is used, the server may choose to return the contents of the file, instead of pre-processing the file (e.g. as a program).

Potential Mitigations

Phase: Architecture and Design

Description: 

Make access control policy based on path information in canonical form. Use very restrictive regular expressions to validate that the path is in the expected form.

Phase: Architecture and Design

Description: 

Reject all alternate path encodings that are not in the expected canonical form.

CVE References