CWE-29: Path Traversal: '\..\filename'
Learn about CWE-29 (Path Traversal: '\..\filename'), its security impact, exploitation methods, and prevention guidelines.
What is Path Traversal: '..\filename'?
• Overview: Path Traversal: '..\filename' (CWE-29) is a security vulnerability where an application improperly handles input used to construct file paths. This flaw allows attackers to manipulate the path, potentially accessing files outside the designated directory, by using sequences like '..\filename'.
• Exploitation Methods:
- Attackers can exploit this vulnerability by injecting '..' sequences into file path inputs to navigate the directory structure.
- Common attack patterns include using variations of backslash and dot-dot sequences to bypass naive path validation checks.
• Security Impact:
- Direct consequences of successful exploitation include unauthorized access to sensitive system files, configuration files, or user data.
- Potential cascading effects include data breaches, system compromise, or further exploitation of other vulnerabilities.
- Business impact may involve loss of customer trust, legal liabilities, and financial damage due to data breaches or service disruption.
• Prevention Guidelines:
- Specific code-level fixes include normalizing paths and validating them against a whitelist of allowed directories.
- Security best practices involve using library functions that handle path resolution securely and avoiding manual string concatenation for path construction.
- Recommended tools and frameworks include static analysis tools to detect path traversal vulnerabilities and frameworks that provide built-in protection against such attacks.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
Python Example
import os
def serve_file(filename):
base_directory = '/var/www/html/files/'
# Vulnerable line: Directly concatenating user input to the base directory path
full_path = base_directory + filename # This allows path traversal when the filename includes '/../'
with open(full_path, 'r') as file:
return file.read()
Explanation
- Direct Concatenation: The code above directly concatenates user input (
filename) with a base directory path (/var/www/html/files/). - Path Traversal Risk: This approach allows an attacker to use sequences like
../../to traverse up the directory tree and access sensitive files outside the intended directory.
How to fix Path Traversal: '..\filename'?
To fix the path traversal vulnerability:
- Validate Input: Ensure that the input filename does not contain any path traversal sequences.
- Use Secure Functions: Use functions that resolve the absolute path and verify it against the intended directory.
- Restrict to Base Directory: After resolving the absolute path, ensure it starts with the base directory path.
Fixed Code Example
Python Example
import os
def serve_file(filename):
base_directory = '/var/www/html/files/'
# Resolve the absolute path using os.path.abspath() and os.path.join()
full_path = os.path.abspath(os.path.join(base_directory, filename))
# Check if the resolved path is within the intended base directory
if not full_path.startswith(os.path.abspath(base_directory)):
raise ValueError("Access denied: Invalid file path.")
# Safely open the file as the path has been validated
with open(full_path, 'r') as file:
return file.read()
Explanation
- Line 15: Uses
os.path.abspath()along withos.path.join()to securely resolve the full path. - Line 19: Validates that the resolved path starts with the absolute path of the base directory. This ensures the file access is restricted to the intended directory.
- Security Assurance: This approach prevents path traversal attacks by ensuring any attempt to access files outside the specified directory will result in an error, thus protecting sensitive files from unauthorized access.