Description

The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.

Extended Description

Virtual file names are represented like normal file names, but they are effectively aliases for other resources that do not behave like normal files. Depending on their functionality, they could be alternate entities. They are not necessarily listed in directories.

---

ThreatScore

Threat Mapped score: 1.8

Industry: Finiancial

Threat priority: P4 - Informational (Low)

---

Observed Examples (CVEs)

• CVE: CVE-1999-0278

  In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.

• CVE: CVE-2004-1084

  Server allows remote attackers to read files and resource fork content via HTTP requests to certain special file names related to multiple data streams in HFS+.

• CVE: CVE-2002-0106

  Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.

Related Attack Patterns (CAPEC)

N/A

---

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A
Operation	N/A

Common Consequences

Potential Mitigations

Applicable Platforms

• None (Not Language-Specific, Undetermined)

---

Demonstrative Examples

N/A

Notes

← Back to CWE list