Path Equivalence: 'file.name' (Internal Dot)
This vulnerability occurs when an application accepts file paths containing internal dots (like 'file.ordir') without properly checking them. Attackers can exploit this to bypass security checks, traverse directories, and access sensitive files or system areas they shouldn't be able to reach.
Internal dot sequences in a path can confuse how an operating system resolves the final file location. For example, a path like 'secure/config. ./../data.txt' might be interpreted differently than the developer intended, potentially jumping up a directory level. This ambiguity allows attackers to craft malicious paths that slip past simple validation filters, leading to unauthorized file access or directory traversal. To prevent this, developers should normalize and canonicalize all user-supplied file paths before processing them. Use strict allowlists for permitted directories and implement robust path validation libraries that resolve '..', '.', and internal dot sequences to their absolute, intended locations. Never trust raw path input, as operating systems may interpret special sequences in unexpected ways.
Impact: Read Files or DirectoriesModify Files or Directories
- File Processing
- File or Directory
- PLOVER
- Software Fault Patterns