Race Condition Enabling Link Following
This vulnerability occurs when a program checks a file's status before using it, creating a brief window where an attacker can replace that file with a malicious link. This causes the program to follow the link and access an unintended, potentially dangerous location.
Developers often assume the gap between checking a file and using it is too small to exploit, but this race condition is very real. Attackers can widen this window by slowing the system down—for example, by consuming memory—or simply by launching repeated attacks until one succeeds. This flaw is particularly dangerous because it bypasses intended security checks. The program verifies a legitimate file, but in that instant, an attacker swaps it for a link pointing to a sensitive system file or a malicious payload, tricking the application into performing unauthorized actions.
Impact: Read Files or DirectoriesModify Files or Directories
ID : DX-49
This code prints the contents of a file if a user has permission.Code Example:
php//resolve file if its a symbolic link* if(is_link($filename)){ ``` $filename = readlink($filename); } if(fileowner($filename) == $user){ echo file_get_contents($realFile); return; } else{ echo 'Access denied'; return false; } }
- PLOVER
- CERT C Secure Coding
- Software Fault Patterns