logo

Path Equivalence: 'fakedir/../realdir/filename'

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when an application uses external input to build file paths, allowing attackers to bypass access controls. By submitting a path like 'fakedir/../realdir/filename', they can navigate out of a restricted directory ('fakedir') and into a protected one ('realdir'), accessing files the security mechanisms were designed to block.

Extended Description

This flaw is a specific type of path traversal attack where the security check fails due to how the path is interpreted. The application might correctly validate or restrict access to the direct path 'realdir/filename'. However, it doesn't account for directory traversal sequences ('../') being prepended. When it concatenates user input like 'fakedir/../realdir/filename' without proper normalization, the system resolves the '..' to move up a directory, effectively making the 'fakedir' part irrelevant and granting access to the real target. To prevent this, developers must implement canonicalization or path normalization before applying any security checks. This process resolves all '..' and '.' sequences and symbolic links to produce a single, absolute, and clean path. Access controls should then be applied to this final, normalized path, ensuring that any crafted input with traversal sequences is evaluated based on the actual file or directory it points to, not the deceptive path structure provided by the user.
Common Consequences 1
Scope: ConfidentialityIntegrity

Impact: Read Files or DirectoriesModify Files or Directories
Potential Mitigations 1
Phase: Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (Incorrect Behavior Order: Validate Before Canonicalize). Make sure that the application does not decode the same input twice (Double Decoding of the Same Data). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Observed Examples 3
CVE-2001-1152Proxy allows remote attackers to bypass denylist restrictions and connect to unauthorized web servers by modifying the requested URL, including (1) a // (double slash), (2) a /SUBDIR/.. where the desired file is in the parentdir, (3) a /./, or (4) URL-encoded characters.
CVE-2000-0191application check access for restricted URL before canonicalization
CVE-2005-1366CGI source disclosure using "dirname/../cgi-bin"
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Functional Areas
  1. File Processing
Affected Resources
  1. File or Directory
Related Weaknesses
ChildOf: Improper Resolution of Path Equivalence (CWE-41)
Taxonomy Mapping
  • PLOVER
  • Software Fault Patterns
Notes
TheoreticalThis is a manipulation that uses an injection for one consequence (containment violation using relative path) to achieve a different consequence (equivalence by alternate name).