Tag Archives: Path Equivalence: ‘/multiple/trailing/slash//’

CWE-52 – Path Equivalence: ‘/multiple/trailing/slash//’

Read Time:42 Second

Description

A software system that accepts path input in the form of multiple trailing slash (‘/multiple/trailing/slash//’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-41
CWE-163
CWE-289

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2002-1078
    • Directory listings in web server using multiple trailing slash