CWE-42 路径等价:'filename.' (尾部点号)

Path Equivalence: 'filename.' (Trailing Dot)

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown

基本描述

A software system that accepts path input in the form of trailing dot ('filedir.') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 41 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 41 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 162 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Access Control Bypass Protection Mechanism

分析过的案例

标识 说明 链接
CVE-2000-1114 Source code disclosure using trailing dot https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1114
CVE-2002-1986, Source code disclosure using trailing dot https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1986,
CVE-2004-2213 Source code disclosure using trailing dot https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2213
CVE-2005-3293 Source code disclosure using trailing dot https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3293
CVE-2004-0061 Bypass directory access restrictions using trailing dot in URL https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0061
CVE-2000-1133 Bypass directory access restrictions using trailing dot in URL https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1133
CVE-2001-1386 Bypass check for ".lnk" extension using ".lnk." https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1386

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Trailing Dot - 'filedir.'
Software Fault Patterns SFP16 Path Traversal