CWE-73 – External Control of File Name or Path

Read Time:3 Minute, 12 Second

Description

The software allows user input to control or influence paths or file names that are used in filesystem operations.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

 

Related Weaknesses

CWE-642
CWE-610
CWE-20
CWE-22
CWE-41
CWE-98
CWE-434
CWE-59

 

Consequences

Integrity, Confidentiality: Read Files or Directories, Modify Files or Directories

The application can operate on unexpected files. Confidentiality is violated when the targeted filename is not directly readable by the attacker.

Integrity, Confidentiality, Availability: Modify Files or Directories, Execute Unauthorized Code or Commands

The application can operate on unexpected files. This may violate integrity if the filename is written to, or if the filename is for a program or other form of executable code.

Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (Other)

The application can operate on unexpected files. Availability can be violated if the attacker specifies an unexpected file that the application modifies. Availability can also be affected if the attacker specifies a filename for a large file, or points to a special device or a file that does not have the format that the application expects.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to “inbox.txt” and ID 2 could map to “profile.txt”. Features such as the ESAPI AccessReferenceMap provide this capability.

Phase: Architecture and Design, Operation

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Phase: Implementation

Effectiveness: High

Description: 

Phase: Implementation

Effectiveness:

Description: 

Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes “..” sequences and symbolic links (CWE-23, CWE-59).

Phase: Installation, Operation

Effectiveness:

Description: 

Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack.

Phase: Operation, Implementation

Effectiveness:

Description: 

If you are using PHP, configure your application so that it does not use register_globals. During implementation, develop your application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

Phase: Testing

Effectiveness:

Description: 

Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.

Phase: Testing

Effectiveness:

Description: 

Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software’s operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Phase: Testing

Effectiveness:

Description: 

Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.

CVE References

 

  • CVE-2008-5748
    • Chain: external control of values for user’s desired language and theme enables path traversal.
  • CVE-2008-5764
    • Chain: external control of user’s target language enables remote file inclusion.