logo

Path Equivalence: '/./' (Single Dot Directory)

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when an application accepts file paths containing '/./' (single dot directory) sequences without proper validation. Attackers can exploit this to bypass intended directory structures, potentially accessing sensitive files or navigating to unauthorized locations within the file system.

Extended Description

The '/./' sequence, while technically valid in some filesystems, represents the current directory. When an application doesn't normalize or validate these sequences, it creates ambiguous path resolution. An attacker can inject '/./' repeatedly to manipulate how the system interprets the final path, potentially escaping restricted directories or accessing files outside the intended scope. To prevent this, developers should implement strict path validation that resolves all dot directory sequences before processing. Use canonical path functions provided by your programming language to normalize paths, and enforce a whitelist of allowed directories. Never trust user-supplied paths directly—always validate them against a known safe base directory.
Common Consequences 1
Scope: ConfidentialityIntegrity

Impact: Read Files or DirectoriesModify Files or Directories
Potential Mitigations 1
Phase: Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (Incorrect Behavior Order: Validate Before Canonicalize). Make sure that the application does not decode the same input twice (Double Decoding of the Same Data). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Observed Examples 5
CVE-2000-0004Server allows remote attackers to read source code for executable files by inserting a . (dot) into the URL.
CVE-2002-0304Server allows remote attackers to read password-protected files via a /./ in the HTTP request.
CVE-1999-1083Possibly (could be a cleansing error)
CVE-2004-0815"/./////etc" cleansed to ".///etc" then "/etc"
CVE-2002-0112Server allows remote attackers to view password protected files via /./ in the URL.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Functional Areas
  1. File Processing
Affected Resources
  1. File or Directory
Related Weaknesses
ChildOf: Improper Resolution of Path Equivalence (CWE-41)
Taxonomy Mapping
  • PLOVER
  • Software Fault Patterns