CWE-73: External Control of File Name or Path
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product allows user input to control or influence paths or file names that are used in filesystem operations.
常见后果
影响范围: Integrity Confidentiality
技术影响: Read Files or Directories Modify Files or Directories
说明: The application can operate on unexpected files. Confidentiality is violated when the targeted filename is not directly readable by the attacker.
影响范围: Integrity Confidentiality Availability
技术影响: Modify Files or Directories Execute Unauthorized Code or Commands
说明: The application can operate on unexpected files. This may violate integrity if the filename is written to, or if the filename is for a program or other form of executable code.
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart DoS: Resource Consumption (Other)
说明: The application can operate on unexpected files. Availability can be violated if the attacker specifies an unexpected file that the application modifies. Availability can also be affected if the attacker specifies a filename for a large file, or points to a special device or a file that does not have the format that the application expects.
潜在缓解措施
阶段: Architecture and Design
描述: When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.
阶段: Architecture and Design Operation
阶段: Architecture and Design
描述: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
阶段: Implementation
策略: Input Validation
有效性: High
阶段: Implementation
描述: Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59).
阶段: Installation Operation
描述: Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack.
阶段: Operation Implementation
描述: If you are using PHP, configure your application so that it does not use register_globals. During implementation, develop your application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.
阶段: Testing
描述: Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
检测方法
方法: Automated Static Analysis
观察示例
参考: CVE-2022-45918
Chain: a learning management tool debugger uses external input to locate previous session logs (CWE-73) and does not properly validate the given path (CWE-20), allowing for filesystem path traversal using "../" sequences (CWE-24)
参考: CVE-2008-5748
Chain: external control of values for user's desired language and theme enables path traversal.
参考: CVE-2008-5764
Chain: external control of user's target language enables remote file inclusion.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
适用平台
编程语言
操作系统
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| 7 Pernicious Kingdoms | - | Path Manipulation | - |
| Software Fault Patterns | SFP16 | Path Traversal | - |
关键信息
CWE ID: CWE-73
抽象级别: Base
结构: Simple
状态: Draft
利用可能性: High