The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.
N/A
Threat Mapped score: 0.0
Industry: Finiancial
Threat priority: Unclassified
CVE: CVE-2002-0725
Attacker performs malicious actions on a hard link to a file, obscuring the real target file.
N/A
N/A
| Phase | Note |
|---|---|
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
| Operation | N/A |
Intro: This code prints the contents of a file if a user has permission.
Body: While the code logs a bad access attempt, it logs the user supplied name for the file, not the canonicalized file name. An attacker can obscure their target by giving the script the name of a link to the file they are attempting to access. Also note this code contains a race condition between the is_link() and readlink() functions (CWE-363).
function readFile($filename){ $user = getCurrentUser(); $realFile = $filename; //resolve file if its a symbolic link if(is_link($filename)){ $realFile = readlink($filename); } if(fileowner($realFile) == $user){ echo file_get_contents($realFile); return; } else{ echo 'Access denied'; writeLog($user . ' attempted to access the file '. $filename . ' on '. date('r')); } }