CWE-66: Improper Handling of File Names that Identify Virtual Resources
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.
扩展描述
Virtual file names are represented like normal file names, but they are effectively aliases for other resources that do not behave like normal files. Depending on their functionality, they could be alternate entities. They are not necessarily listed in directories.
常见后果
影响范围: Other
技术影响: Other
检测方法
方法: Automated Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Manual Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Dynamic Analysis with Automated Results Interpretation
有效性: SOAR Partial
方法: Dynamic Analysis with Manual Results Interpretation
有效性: SOAR Partial
方法: Manual Static Analysis - Source Code
有效性: High
方法: Automated Static Analysis - Source Code
有效性: SOAR Partial
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-1999-0278
In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.
参考: CVE-2004-1084
Server allows remote attackers to read files and resource fork content via HTTP requests to certain special file names related to multiple data streams in HFS+.
参考: CVE-2002-0106
Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
| Operation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Virtual Files | - |