Difference between revisions of "Absolute Path Traversal"
m (→Related Vulnerabilities)
m (→Related Countermeasures)
|Line 50:||Line 50:|
Revision as of 16:43, 24 October 2007
If a product expects a filename as input it is possible that it can construct an absolute path such as "/rootdir/subdir," which is then processed by the operating system to access a file or resource that is outside of a restricted path that was intended by the developer.
This is similar to path traversal but uses only "/" and not ".." to gain access. More detailed information can be found on Path_Traversal
The following URLs maybe are vulnerable to this attack:
A simple way to execute this attack is like this:
When the web server returns information about errors in a web application, it is much easier for the attacker to guess the correct locations (e.g. path to the file with a source code, which then may be displayed).