logo

Path Equivalence: 'filedir*' (Wildcard)

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when an application accepts file or directory paths containing an asterisk wildcard ('*') without proper validation. Attackers can exploit this to bypass intended access controls, potentially reading, writing, or executing files in unauthorized locations.

Extended Description

The core issue is that the asterisk wildcard, often used for pattern matching, is interpreted by the underlying operating system during path resolution. When an application passes user-supplied input like 'config*.txt' directly to file system APIs, the OS may resolve it to multiple unexpected files (e.g., 'config.txt', 'config_backup.txt', 'config_old.txt'). This creates an ambiguous path that can lead to unauthorized data exposure, file corruption, or even remote code execution if critical system files are targeted. To prevent this, developers must implement strict input validation that rejects paths containing wildcards before processing. Alternatively, applications should use allowlists of permitted filenames or canonicalize the path and then verify it resides strictly within the intended directory. Never rely on client-side validation alone; all path sanitization must be performed server-side using the application's trusted context.
Common Consequences 1
Scope: ConfidentialityIntegrity

Impact: Read Files or DirectoriesModify Files or Directories
Potential Mitigations 1
Phase: Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (Incorrect Behavior Order: Validate Before Canonicalize). Make sure that the application does not decode the same input twice (Double Decoding of the Same Data). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Observed Examples 2
CVE-2004-0696List directories using desired path and "*"
CVE-2002-0433List files in web server using "*.ext"
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Functional Areas
  1. File Processing
Affected Resources
  1. File or Directory
Related Weaknesses
ChildOf: Improper Resolution of Path Equivalence (CWE-41)
ChildOf: Improper Neutralization of Wildcards or Matching Symbols (CWE-155)
Taxonomy Mapping
  • PLOVER
  • Software Fault Patterns