Path Equivalence: 'file name' (Internal Whitespace) |
Weakness ID: 48 (Weakness Variant) | Status: Incomplete |
Description Summary
A software system that accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
Reference | Description |
---|---|
CVE-2000-0293 | Filenames with spaces allow arbitrary file deletion when the product does not properly quote them; some overlap with path traversal. |
CVE-2001-1567 | "+" characters in query string converted to spaces before sensitive file/extension (internal space), leading to bypass of access restrictions to the file. |
This is not necessarily an equivalence issue, but it can also be used to spoof icons or conduct information hiding via information truncation (see user interface errors). This weakness is likely to overlap quoting problems, e.g. the "Program Files" untrusted search path variants. It also could be an equivalence issue if filtering removes all extraneous spaces. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Base | 41 | Improper Resolution of Path Equivalence | Development Concepts (primary)699 Research Concepts (primary)1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | file(SPACE)name (internal space) | ||
OWASP Top Ten 2004 | A9 | CWE More Specific | Denial of Service |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Other Notes, Taxonomy Mappings | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Path Issue - Internal Space - file(SPACE)name | |||