Path Equivalence: '//multiple/leading/slash'

Description

This vulnerability occurs when an application accepts file or directory paths containing multiple leading slashes (like '//multiple/leading/slash') without proper normalization. Attackers can exploit this ambiguity to bypass security checks, potentially accessing files or directories outside the intended scope.

Extended Description

When a system processes a path starting with '//', different operating systems and libraries interpret it differently. On Unix-like systems, '//' is often treated as equivalent to a single '/', but some parsers or custom logic might handle it inconsistently. This inconsistency creates a loophole where an attacker can craft paths that confuse the resolution logic, leading to unauthorized file system access. To prevent this, developers should implement strict path validation and canonicalization. Always normalize user-supplied paths by resolving sequences like '//' to a single slash before any security or access control checks. Use trusted library functions for path resolution instead of custom string manipulation to ensure consistent behavior across all platforms.

Common Consequences 1

Scope: ConfidentialityIntegrity

Impact: Read Files or DirectoriesModify Files or Directories

Observed Examples 11

CVE-2002-1483Read files with full pathname using multiple internal slash.

CVE-1999-1456Server allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename.

CVE-2004-0578Server allows remote attackers to read arbitrary files via leading slash (//) characters in a URL request.

CVE-2002-0275Server allows remote attackers to bypass authentication and read restricted files via an extra / (slash) in the requested URL.

CVE-2004-1032Product allows local users to delete arbitrary files or create arbitrary empty files via a target filename with a large number of leading slash (/) characters.

CVE-2002-1238Server allows remote attackers to bypass access restrictions for files via an HTTP request with a sequence of multiple / (slash) characters such as http://www.example.com///file/.

CVE-2004-1878Product allows remote attackers to bypass authentication, obtain sensitive information, or gain access via a direct request to admin/user.pl preceded by // (double leading slash).

CVE-2005-1365Server allows remote attackers to execute arbitrary commands via a URL with multiple leading "/" (slash) characters and ".." sequences.

CVE-2000-1050Access directory using multiple leading slash.

CVE-2001-1072Bypass access restrictions via multiple leading slash, which causes a regular expression to fail.

CVE-2004-0235Archive extracts to arbitrary files using multiple leading slash in filenames in the archive.

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Implementation

Functional Areas

File Processing

Affected Resources

File or Directory

Related Weaknesses

ChildOf:

Improper Resolution of Path Equivalence (CWE-41)

ChildOf:

Improper Neutralization of Multiple Leading Special Elements (CWE-161)

Taxonomy Mapping

PLOVER
Software Fault Patterns