Tag Archives: Path Equivalence: ‘/multiple//internal/slash’

CWE-51 – Path Equivalence: ‘/multiple//internal/slash’

Read Time:41 Second

Description

A software system that accepts path input in the form of multiple internal slash (‘/multiple//internal/slash/’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-41

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2002-1483
    • Read files with full pathname using multiple internal slash.