CWE-48: Path Equivalence: 'file name' (Internal Whitespace)
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
常见后果
影响范围: Confidentiality Integrity
技术影响: Read Files or Directories Modify Files or Directories
观察示例
参考: CVE-2000-0293
Filenames with spaces allow arbitrary file deletion when the product does not properly quote them; some overlap with path traversal.
参考: CVE-2001-1567
"+" characters in query string converted to spaces before sensitive file/extension (internal space), leading to bypass of access restrictions to the file.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | file(SPACE)name (internal space) | - |
| OWASP Top Ten 2004 | A9 | Denial of Service | CWE More Specific |
| Software Fault Patterns | SFP16 | Path Traversal | - |