Difference between revisions of "Absolute Path Traversal"

From OWASP
Jump to: navigation, search
 
(16 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Template:Attack}}
+
{{Delete}}
 +
#REDIRECT [[Path Traversal]]
 +
 
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 
==Description==
 
==Description==
 
 
 
If a product expects a filename as input it is possible that it can construct an absolute path such as "/rootdir/subdir," which is then processed by the operating system to access a file or resource that is outside of a restricted path that was intended by the developer.
 
If a product expects a filename as input it is possible that it can construct an absolute path such as "/rootdir/subdir," which is then processed by the operating system to access a file or resource that is outside of a restricted path that was intended by the developer.
  
 
This is similar to path traversal but uses only "/" and not ".." to gain access.
 
This is similar to path traversal but uses only "/" and not ".." to gain access.
 
More detailed information can be found on [[Path_Traversal]]
 
More detailed information can be found on [[Path_Traversal]]
 +
 +
==Risk Factors==
  
 
==Examples==
 
==Examples==
  
 +
===How does the attack work?===
 +
:The following URLs maybe are vulnerable to this attack:
  
The following URLs maybe are vulnerable to this attack:
+
<nowiki>http://testsite.com/get.php?f=list</nowiki>
 
+
<nowiki>http://testsite.com/get.cgi?f=2</nowiki>
http://testsite.com/get.php?f=list
+
<nowiki>http://testsite.com/get.asp?f=test</nowiki>
 
+
http://testsite.com/get.cgi?f=2
+
 
+
http://testsite.com/get.asp?f=test
+
 
+
 
+
A simple way to execute this attack is like this:
+
 
+
http://testsite.com/get.php?f=/var/www/html/get.php
+
 
+
http://testsite.com/get.cgi?f=/var/www/html/admin/get.inc
+
 
+
http://testsite.com/get.asp?f=/etc/passwd
+
 
+
When the web server returns information about errors in a web application, it is much easier for the attacker to guess the correct locations (e.g. path to the file with a source code, which then may be displayed).
+
 
+
 
+
==Related Threats==
+
 
+
*[[Category: Information Disclosure]]
+
 
+
 
+
==Related Attacks==
+
 
+
 
+
*[[Path Manipulation]]
+
*[[Path Traversal]]
+
*[[Resource Injection]]
+
  
==Related Vulnerabilities==
+
:A simple way to execute this attack is like this:
  
 +
<nowiki>http://testsite.com/get.php?f=/var/www/html/get.php</nowiki>
 +
<nowiki>http://testsite.com/get.cgi?f=/var/www/html/admin/get.inc</nowiki>
 +
<nowiki>http://testsite.com/get.asp?f=/etc/passwd</nowiki>
  
*[[Category:Input Validation Vulnerability]]
+
:When the web server returns information about errors in a web application, it is much easier for the attacker to guess the correct locations (e.g. path to the file with a source code, which then may be displayed).
  
 +
==Related [[Threat Agents]]==
  
==Related Countermeasures==
+
==Related [[Attacks]]==
 +
* [[Path Manipulation]]
 +
* [[Path Traversal]]
 +
* [[Resource Injection]]
  
*[[Category:Input Validation]]
+
==Related [[Vulnerabilities]]==
 +
* [[:Category:Input Validation Vulnerability]]
  
  
==Categories==
+
==Related [[Controls]]==
 +
* [[:Category:Input Validation]]
  
*[[Category:Resource Manipulation]]
+
==References==

Latest revision as of 08:13, 12 February 2009


This article has been recommended for deletion.
You can help OWASP by improving it or discussing it on its Talk page.
#REDIRECT Path Traversal

Last revision (mm/dd/yy): 02/12/2009

Contents

Description

If a product expects a filename as input it is possible that it can construct an absolute path such as "/rootdir/subdir," which is then processed by the operating system to access a file or resource that is outside of a restricted path that was intended by the developer.

This is similar to path traversal but uses only "/" and not ".." to gain access. More detailed information can be found on Path_Traversal

Risk Factors

Examples

How does the attack work?

The following URLs maybe are vulnerable to this attack:
http://testsite.com/get.php?f=list
http://testsite.com/get.cgi?f=2
http://testsite.com/get.asp?f=test
A simple way to execute this attack is like this:
http://testsite.com/get.php?f=/var/www/html/get.php
http://testsite.com/get.cgi?f=/var/www/html/admin/get.inc
http://testsite.com/get.asp?f=/etc/passwd
When the web server returns information about errors in a web application, it is much easier for the attacker to guess the correct locations (e.g. path to the file with a source code, which then may be displayed).

Related Threat Agents

Related Attacks

Related Vulnerabilities


Related Controls

References