CWE-49: Path Equivalence: 'filename/' (Trailing Slash)
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
常见后果
影响范围: Confidentiality Integrity
技术影响: Read Files or Directories Modify Files or Directories
观察示例
参考: CVE-2002-0253
Overlaps infoleak
参考: CVE-2001-0446
Application server allows remote attackers to read source code for .jsp files by appending a / to the requested URL.
参考: CVE-2004-0334
Bypass Basic Authentication for files using trailing "/"
参考: CVE-2001-0893
Read sensitive files with trailing "/"
参考: CVE-2001-0892
Web server allows remote attackers to view sensitive files under the document root (such as .htpasswd) via a GET request with a trailing /.
参考: CVE-2004-1814
Directory traversal vulnerability in server allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
| Operation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | filedir/ (trailing slash, trailing /) | - |
| Software Fault Patterns | SFP16 | Path Traversal | - |