CWE-56: Path Equivalence: 'filedir*' (Wildcard)

Description

The product accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2004-0696

List directories using desired path and "*"
CVE: CVE-2002-0433

List files in web server using "*.ext"

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Read Files or Directories, Modify Files or Directories — Notes:

Potential Mitigations

Implementation: Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. (N/A)

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

N/A

Notes

No notes available.

← Back to CWE list