CWE-50
Path Equivalence: '//multiple/leading/slash'
Incomplete
2006-07-19
00h00 +00:00
00h00 +00:00
2023-06-29
00h00 +00:00
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Path Equivalence: '//multiple/leading/slash'
The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
Informations générales
Modes d'introduction
ImplementationPlateformes applicables
Langue
Class: Not Language-Specific (Undetermined)Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Confidentiality Integrity | Read Files or Directories, Modify Files or Directories |
Exemples observés
| Références | Description |
|---|---|
CVE-2002-1483 | Read files with full pathname using multiple internal slash. |
CVE-1999-1456 | Server allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. |
CVE-2004-0578 | Server allows remote attackers to read arbitrary files via leading slash (//) characters in a URL request. |
CVE-2002-0275 | Server allows remote attackers to bypass authentication and read restricted files via an extra / (slash) in the requested URL. |
CVE-2004-1032 | Product allows local users to delete arbitrary files or create arbitrary empty files via a target filename with a large number of leading slash (/) characters. |
CVE-2002-1238 | Server allows remote attackers to bypass access restrictions for files via an HTTP request with a sequence of multiple / (slash) characters such as http://www.example.com///file/. |
CVE-2004-1878 | Product allows remote attackers to bypass authentication, obtain sensitive information, or gain access via a direct request to admin/user.pl preceded by // (double leading slash). |
CVE-2005-1365 | Server allows remote attackers to execute arbitrary commands via a URL with multiple leading "/" (slash) characters and ".." sequences. |
CVE-2000-1050 | Access directory using multiple leading slash. |
CVE-2001-1072 | Bypass access restrictions via multiple leading slash, which causes a regular expression to fail. |
CVE-2004-0235 | Archive extracts to arbitrary files using multiple leading slash in filenames in the archive. |
Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| PLOVER | Draft 3 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Observed_Examples, Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Applicable_Platforms | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes |
2025©
tesweb SA
