Corgea LogoCorgea Security Hub

CWE-34: Path Traversal: '....//'

Learn about CWE-34 (Path Traversal: '....//'), its security impact, exploitation methods, and prevention guidelines.

What is Path Traversal: '....//'?

• Overview: Path Traversal '....//' is a vulnerability where an application uses external input to build a file path, but fails to properly neutralize sequences like '....//', allowing attackers to access files outside the intended directory.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by injecting '....//' sequences into file path inputs to navigate the file system.
  • Common attack patterns include using '....//' to bypass simple path filters that only remove "../" or ".." sequences.

• Security Impact:

  • Direct consequences include unauthorized access to sensitive files and directories.
  • Potential cascading effects could involve exposure of confidential data, system compromise, and privilege escalation.
  • Business impact can include data breaches, legal liabilities, and loss of customer trust.

• Prevention Guidelines:

  • Specific code-level fixes include validating and sanitizing file path inputs, ensuring they resolve to intended directories.
  • Security best practices involve using library functions or APIs that safely handle file paths and prevent traversal.
  • Recommended tools and frameworks should be used to automatically detect and mitigate path traversal vulnerabilities during development and testing.

Corgea can automatically detect and fix Path Traversal: '....//' in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

Python Example

import os

def read_file(filename):
    base_directory = '/var/www/data/'
    # Vulnerable line: Concatenating user input directly into the file path
    full_path = os.path.join(base_directory, filename)
    
    try:
        with open(full_path, 'r') as file:
            return file.read()
    except FileNotFoundError:
        return "File not found."
    except Exception as e:
        return str(e)

Explanation of Vulnerability

  • The code above takes a filename input from an external source and appends it to a base directory to create a full_path.
  • This is vulnerable to a path traversal attack using sequences like ../../etc/passwd or ....//etc/passwd to access files outside the intended directory.
  • Without proper validation, an attacker can craft requests to read sensitive files on the server.

How to fix Path Traversal: '....//'?

To fix the path traversal issue, implement the following best practices:

  1. Normalize and Validate Paths: Use functions to normalize the path and ensure it stays within the intended directory.
  2. Use Secure Libraries: Consider using built-in libraries that automatically handle path sanitization.
  3. Whitelist Approach: Implement a whitelist of allowable file names or extensions.

Fixed Code Example

Python Example

import os

def is_safe_path(base_directory, user_input_path):
    # Resolve the absolute path and check if it begins with the base directory
    absolute_path = os.path.abspath(os.path.join(base_directory, user_input_path))
    return absolute_path.startswith(os.path.abspath(base_directory))

def read_file(filename):
    base_directory = '/var/www/data/'
    # Fix: Validate if the resolved path is safe
    if not is_safe_path(base_directory, filename):
        return "Access denied: Invalid file path."

    full_path = os.path.join(base_directory, filename)
    
    try:
        with open(full_path, 'r') as file:
            return file.read()
    except FileNotFoundError:
        return "File not found."
    except Exception as e:
        return str(e)

Explanation of Fix

  • Path Normalization and Validation: The function is_safe_path ensures that the resolved absolute file path always starts with the base directory path, preventing directory traversal.
  • Access Denied Message: If the path is not valid, the function returns an error message without attempting to open the file.
  • Security Principle: This prevents attackers from accessing files outside the designated directory, adhering to the principle of least privilege.

Additional Improvements

  • Use of os.path.abspath: Ensures that the path is fully resolved, eliminating any relative path components like ...
  • Consistent Path Handling: By using os.path.abspath on both the base directory and the user-supplied path, we ensure consistent path handling.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-34: Path Traversal: '....//' and get remediation guidance

Start for free and no credit card needed.