The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.
This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.
Threat Mapped score: 0.0
Industry: Finiancial
Threat priority: Unclassified
CVE: CVE-2002-0934
Directory traversal vulnerability allows remote attackers to read or modify arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
CVE: CVE-2003-0282
Directory traversal vulnerability allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
| Phase | Note |
|---|---|
| Implementation | N/A |
Intro: This script creates a subdirectory within a user directory and sets the user as the owner.
Body: While the script attempts to screen for '..' sequences, an attacker can submit a directory path including ".~.", which will then become ".." after the filtering step. This allows a Path Traversal (CWE-21) attack to occur.
function createDir($userName,$dirName){ $userDir = '/users/'. $userName; if(strpos($dirName,'..') !== false){ echo 'Directory name contains invalid sequence'; return; } //filter out '~' because other scripts identify user directories by this prefix $dirName = str_replace('~','',$dirName); $newDir = $userDir . $dirName; mkdir($newDir, 0700); chown($newDir,$userName); }