Difference between revisions of "Absolute Path Traversal"

From OWASP
Jump to: navigation, search
 
Line 3: Line 3:
 
[[Category:Deployment]]
 
[[Category:Deployment]]
 
[[Category:Attack]]
 
[[Category:Attack]]
 +
 +
If a product expects a filename as input it is possible that it can construct an absolute path such as "/rootdir/subdir," which is then processed by the operating system to access a file or resource that is outside of a restricted path that was intended by the developer.
 +
 +
This is similar to path traversal but uses only "/" and not ".." to gain access.

Revision as of 17:19, 6 December 2006

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.

If a product expects a filename as input it is possible that it can construct an absolute path such as "/rootdir/subdir," which is then processed by the operating system to access a file or resource that is outside of a restricted path that was intended by the developer.

This is similar to path traversal but uses only "/" and not ".." to gain access.