CWE-49: Path Equivalence: 'filename/' (Trailing Slash)

Description

The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2002-0253

Overlaps infoleak
CVE: CVE-2001-0446

Application server allows remote attackers to read source code for .jsp files by appending a / to the requested URL.
CVE: CVE-2004-0334

Bypass Basic Authentication for files using trailing "/"
CVE: CVE-2001-0893

Read sensitive files with trailing "/"
CVE: CVE-2001-0892

Web server allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /.
CVE: CVE-2004-1814

Directory traversal vulnerability in server allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A
Operation	N/A

Common Consequences

Impact: Read Files or Directories, Modify Files or Directories — Notes:

Potential Mitigations

None listed.

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

N/A

Notes

No notes available.

← Back to CWE list