CWE-72: Improper Handling of Apple HFS+ Alternate Data Stream Path

Variant Incomplete Simple

CWE版本: 4.18

更新日期: 2025-09-09

弱点描述

The product does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system.

扩展描述

If the product chooses actions to take based on the file name, then if an attacker provides the data or resource fork, the product may take unexpected actions. Further, if the product intends to restrict access to a file, then an attacker might still be able to bypass intended access restrictions by requesting the data or resource fork for that file.

常见后果

影响范围: Confidentiality Integrity

技术影响: Read Files or Directories Modify Files or Directories

观察示例

参考: CVE-2004-1084

Server allows remote attackers to read files and resource fork content via HTTP requests to certain special file names related to multiple data streams in HFS+.

引入模式

阶段 说明
Implementation -

适用平台

编程语言
Not Language-Specific (Undetermined)
操作系统
macOS (Undetermined)
关键信息

CWE ID: CWE-72

抽象级别: Variant

结构: Simple

状态: Incomplete

相关弱点
ChildOf CWE-66

Improper Handling of File Names that Identify Virtual Resources

Base
返回列表