CWE-33: Path Traversal: '....' (Multiple Dot)
Learn about CWE-33 (Path Traversal: '....' (Multiple Dot)), its security impact, exploitation methods, and prevention guidelines.
What is Path Traversal: '....' (Multiple Dot)?
• Overview: Path Traversal: '....' (Multiple Dot) is a vulnerability where user input is used to construct a pathname intended to stay within a restricted directory, but fails to neutralize '....' sequences, allowing path traversal beyond the directory.
• Exploitation Methods:
- Attackers can craft input with '....' sequences to access unauthorized directories or files.
- Common techniques include inputting '....' to bypass weak path validation that doesn't account for multiple dots or assumes only ".." is dangerous.
• Security Impact:
- Direct consequences include unauthorized access to sensitive files or directories outside the intended scope.
- Potential cascading effects could involve data breaches, system compromise, or further exploitation.
- Business impact may include loss of data integrity, customer trust, legal consequences, and financial losses.
• Prevention Guidelines:
- Specific code-level fixes include validating and sanitizing all user inputs, ensuring no untrusted input can manipulate file paths.
- Security best practices involve employing a whitelist approach for allowed file paths and restricting file access rights.
- Recommended tools and frameworks include libraries or functions that provide secure path handling and robust input validation mechanisms.
Corgea can automatically detect and fix Path Traversal: '....' (Multiple Dot) in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
Python Example
import os
def read_file(filename):
# Vulnerable to path traversal because it directly uses user input
with open(os.path.join('/var/www/data/', filename), 'r') as file:
return file.read()
# Example usage:
# Input: "../../../../etc/passwd" could allow attackers to read sensitive files
user_input = "../../../../etc/passwd"
content = read_file(user_input)
print(content)
Explanation:
- The code above demonstrates a path traversal vulnerability. The
read_filefunction concatenates user input directly into the file path without validating or sanitizing it. This allows attackers to manipulate the file path using sequences like../../..to access sensitive files outside the intended directory.
How to fix Path Traversal: '....' (Multiple Dot)?
To mitigate the path traversal vulnerability, the following best practices should be applied:
- Input Validation: Ensure that the input filename is sanitized and validated against a whitelist of permitted files or patterns.
- Path Normalization: Use functions to normalize the file path, resolving any '..' sequences to prevent directory traversal.
- Restrict File Access: Use secure methods to ensure that files are accessed only within the expected directory.
Fixed Code Example
Python Example
import os
def secure_read_file(filename):
# Define the base directory
base_dir = '/var/www/data/'
# Normalize the path to prevent traversal attacks
normalized_path = os.path.normpath(os.path.join(base_dir, filename))
# Ensure the normalized path is within the base directory
if not os.path.commonpath([base_dir, normalized_path]) == os.path.abspath(base_dir):
raise ValueError("Invalid file path detected!")
# Safe access to the file
with open(normalized_path, 'r') as file:
return file.read()
# Example usage
user_input = "../../../../etc/passwd"
try:
content = secure_read_file(user_input)
print(content)
except ValueError as e:
print(e) # Output: Invalid file path detected!
Explanation:
- In the fixed code, the path is normalized using
os.path.normpathto resolve any..sequences. This ensures that the path is canonicalized. - The code uses
os.path.commonpathto verify that the normalized path is within the intended base directory. This prevents directory traversal by ensuring the calculated path is not outside the base directory. - If the check fails, a
ValueErroris raised, preventing unauthorized access to the filesystem. This approach ensures that only files within the/var/www/data/directory are accessed, protecting against path traversal attacks.