Path Equivalence: '//multiple/leading/slash'
Weakness ID: 50 (Weakness Variant)Status: Incomplete
+ Description

Description Summary

A software system that accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

All

+ Observed Examples
ReferenceDescription
CVE-2002-1483
CVE-1999-1456
CVE-2004-0578
CVE-2002-0275
CVE-2004-1032
CVE-2002-1238
CVE-2004-1878
CVE-2005-1365
CVE-2000-1050Access directory using multiple leading slash.
CVE-2001-1072Bypass access restrictions via multiple leading slash, which causes a regular expression to fail.
CVE-2004-0235Archive extracts to arbitrary files using multiple leading slash in filenames in the archive.
+ Potential Mitigations

see the vulnerability category "Path Equivalence"

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base41Improper Resolution of Path Equivalence
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfWeakness VariantWeakness Variant161Improper Sanitization of Multiple Leading Special Elements
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVER//multiple/leading/slash ('multiple leading slash')
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Path Issue - Multiple Leading Slash - //multiple/leading/slash
Back to top