Difference between revisions of "Path Manipulation"

From OWASP
Jump to: navigation, search
(Still think it is an attack.)
Line 5: Line 5:
  
 
Allowing user input to control paths used in filesystem operations may enable an attacker to access or modify otherwise protected system resources.
 
Allowing user input to control paths used in filesystem operations may enable an attacker to access or modify otherwise protected system resources.
 +
  
 
==Description==
 
==Description==
Line 12: Line 13:
 
# An attacker can specify a path used in an operation on the filesystem.  
 
# An attacker can specify a path used in an operation on the filesystem.  
 
# By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.  
 
# By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.  
 +
  
 
==Examples ==
 
==Examples ==
Line 25: Line 27:
 
rFile.delete();
 
rFile.delete();
 
</pre>
 
</pre>
 +
  
 
===Example 2===
 
===Example 2===
Line 35: Line 38:
 
out.println(arr);
 
out.println(arr);
 
</pre>
 
</pre>
 +
  
 
==Related Threats==
 
==Related Threats==
 +
{{Template:Stub}}
 +
 +
[[:Category:Information Disclosure]]
 +
  
 
==Related Attacks==
 
==Related Attacks==
 +
*[[Resource Injection]]
 +
*[[Relative Path Traversal]]
 +
  
 
==Related Vulnerabilities==
 
==Related Vulnerabilities==
 
[[:Category:Input Validation Vulnerability]]
 
[[:Category:Input Validation Vulnerability]]
 +
  
 
==Related Countermeasures==
 
==Related Countermeasures==
 
[[:Category:Input Validation]]
 
[[:Category:Input Validation]]
 +
  
 
==Categories==
 
==Categories==
[[Category:Injection Attack]]
+
[[:Category:Injection Attack]]
[[Category:File System]]
+
 
[[Category:Implementation]]
+
[[:Category:File System]]
[[Category:Java]]
+
 
[[Category:Code Snippet]]
+
[[:Category:Implementation]]
 +
 
 +
[[:Category:Java]]
 +
 
 +
[[:Category:Code Snippet]]
 +
 
 +
 
 +
{{Template:Stub}}
 +
 
 +
[[:Category:Code Injection (Injecting Control Plane content through the Data Plane)]]
 +
 
 +
[[:Category: Resource Manipulation]]

Revision as of 08:29, 27 July 2007

This is an Attack. To view all attacks, please see the Attack Category page.


This article includes content generously donated to OWASP by Fortify.JPG.

Abstract

Allowing user input to control paths used in filesystem operations may enable an attacker to access or modify otherwise protected system resources.


Description

Path manipulation errors occur when the following two conditions are met:

  1. An attacker can specify a path used in an operation on the filesystem.
  2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.


Examples

Example 1

The following code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files.

	String rName = request.getParameter("reportName");
	File rFile = new File("/usr/local/apfr/reports/" + rName);
	...
	rFile.delete();


Example 2

The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt.

	fis = new FileInputStream(cfg.getProperty("sub")+".txt");
	amt = fis.read(arr);
	out.println(arr);


Related Threats

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.Category:Information Disclosure


Related Attacks


Related Vulnerabilities

Category:Input Validation Vulnerability


Related Countermeasures

Category:Input Validation


Categories

Category:Injection Attack

Category:File System

Category:Implementation

Category:Java

Category:Code Snippet


This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.Category:Code Injection (Injecting Control Plane content through the Data Plane)

Category: Resource Manipulation