Relative Path Traversal

[http://s1.shard.jp/galeach/new77.html imdex asia 2005 ] [http://s1.shard.jp/galeach/new168.html asian call girls london ] [http://s1.shard.jp/galeach/new118.html basia milewicz ] [http://s1.shard.jp/losaul/weight-loss-medication.html jocks journal australia ] [http://s1.shard.jp/olharder/1-44961stepsystemcom.html autoelectricalsupplies ] [http://s1.shard.jp/losaul/australian-vets.html conversion of euros to australian dollars ] [http://s1.shard.jp/galeach/new76.html asian beetle longhorned ] [http://s1.shard.jp/losaul/planes-for-sale.html cheap flights to new zealand from australia ] [http://s1.shard.jp/losaul/taubman-paints.html weather report melbourne australia ] index avg antivirus windows xp [http://s1.shard.jp/frhorton/u4h18i4kg.html hewitt african american art ] [http://s1.shard.jp/galeach/new163.html asia regine songbird velasquez ] symantec antivirus could not access the scan engine [http://s1.shard.jp/olharder/ autogas filling stations ] sitemap [http://s1.shard.jp/galeach/new40.html philadelphia asian massage parlor reviews ] [http://s1.shard.jp/bireba/panda-antivirus.html pc magazine antivirus ] [http://s1.shard.jp/bireba/avg-antivirus.html symantec norton antivirus 2006 and norton ghost 10.0 bundle ] [http://s1.shard.jp/bireba/avg-antivirus-7.html avg+antivirus+free ] [http://s1.shard.jp/galeach/new46.html asian big toy ] lawn bowls clubs australia [http://s1.shard.jp/losaul/compare-flights.html spinning mills australia ] [http://s1.shard.jp/galeach/new48.html asian women black guys ] http domain [http://s1.shard.jp/bireba/antivirus-cleanup.html norton antivirus corporate edition 7.5 ] australian laws [http://s1.shard.jp/losaul/informed-sources.html australia drop letterbox ] [http://s1.shard.jp/galeach/new23.html trafficked persons in asia ] [http://s1.shard.jp/bireba/antivirus-2004.html winantivirus pro 2005 download ] domain [http://s1.shard.jp/bireba/manually-updating.html antivirus free trial download ] [http://s1.shard.jp/olharder/celebrity-autograph.html automated link program reciprocal relevant ] [http://s1.shard.jp/bireba/escan-antivirus.html antivirus expiration ] domain [http://s1.shard.jp/olharder/audi-automotive.html autovermietung koeln ] [http://s1.shard.jp/bireba/northon-antivirus.html antivir antivirus software ] australia desert tanami [http://s1.shard.jp/bireba/map.html norton antivirus free download full version ] [http://s1.shard.jp/olharder/canadian-auto.html automated imaging association ] [http://s1.shard.jp/bireba/escan-antivirus.html norton antivirus downloads free ] [http://s1.shard.jp/bireba/antivirus-small.html etrust antivirus free downloads ] [http://s1.shard.jp/losaul/import-vehicles.html australia flights domestic ] [http://s1.shard.jp/losaul/jamsteraustraliaautomarketsolcomau.html australian baby name meaning ] [http://s1.shard.jp/olharder/auto-insurance.html high performance automatic transmission ] [http://s1.shard.jp/frhorton/qfadevngy.html barrydale south africa ] page [http://s1.shard.jp/losaul/australia-importing.html airfares london to australia ]

Last revision (mm/dd/yy): //

Overview
This attack is a variant of Path Traversal and can be exploited when the application accepts the use of relative traversal sequences such as "../".

How to Avoid Path Traversal Vulnerabilities
See the OWASP Guide article on how to Avoid Path Traversal Vulnerabilities.

How to Test for Path Traversal Vulnerabilities
See the OWASP Testing Guide article on how to Test for Path Traversal Vulnerabilities.

More detailed information can be found on Path_Traversal

Description
TBD

Examples
The following URLs are vulnerable to this attack:

http://some_site.com.br/get-files.jsp?file=report.pdf http://some_site.com.br/get-page.php?home=aaa.html http://some_site.com.br/some-page.asp?page=index.html

A simple way to execute this attack is like this:

http://some_site.com.br/get-files?file=../../../../some dir/some file http://some_site.com.br/../../../../etc/shadow http://some_site.com.br/get-files?file=../../../../etc/passwd

Risk Factors
TBD

Related Threat Agents

 * Category: Information Disclosure

Related Attacks

 * Path Manipulation
 * Path Traversal
 * Resource Injection

Related Vulnerabilities

 * Category:Input Validation Vulnerability

Related Controls

 * Category:Input Validation