This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Path Manipulation"

From OWASP
Jump to: navigation, search
(Redirected page to Path Traversal)
 
(6 intermediate revisions by one other user not shown)
Line 1: Line 1:
 +
#REDIRECT [[Path Traversal]]
 
{{Template:Attack}}
 
{{Template:Attack}}
 +
<br>
 +
[[Category:OWASP ASDR Project]]
 +
 +
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 
==Description==
 
==Description==
 
 
Path manipulation errors occur when the following two conditions are met:
 
Path manipulation errors occur when the following two conditions are met:
  
Line 10: Line 15:
 
Allowing user input to control paths used in filesystem operations may enable an attacker to access or modify  protected system resources.
 
Allowing user input to control paths used in filesystem operations may enable an attacker to access or modify  protected system resources.
  
== Severity ==
+
==Risk Factors==
 
+
TBD
Medium to High
 
 
 
== Likelihood of exploitation ==
 
 
 
High to Very High
 
  
 
==Examples ==
 
==Examples ==
Line 41: Line 41:
 
</pre>
 
</pre>
  
==Related Threats==
+
==Related [[Threat Agents]]==
 +
* [[:Category:Information Disclosure]]
 +
[[Category:FIXME|this link doesn't exist, create category or change link?]]
  
[[:Category:Information Disclosure]]
+
==Related [[Attacks]]==
 +
* [[Resource Injection]]
 +
* [[Relative Path Traversal]]
  
==Related Attacks==
+
==Related [[Vulnerabilities]]==
*[[Resource Injection]]
+
* [[:Category:Input Validation Vulnerability]]
*[[Relative Path Traversal]]
 
  
==Related Vulnerabilities==
+
==Related [[Controls]]==
[[:Category:Input Validation Vulnerability]]
+
* [[:Category:Input Validation]]
  
==Related Countermeasures==
+
==References==
[[:Category:Input Validation]]
+
TBD
  
 
==Credit==
 
==Credit==
Line 59: Line 62:
  
 
[[Category:Injection Attack]]
 
[[Category:Injection Attack]]
 
[[Category:Attack]]
 

Latest revision as of 18:43, 6 October 2015

Redirect to:

This is an Attack. To view all attacks, please see the Attack Category page.



Last revision (mm/dd/yy): 10/6/2015

Description

Path manipulation errors occur when the following two conditions are met:

  1. An attacker can specify a path used in an operation on the filesystem.
  2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.

Allowing user input to control paths used in filesystem operations may enable an attacker to access or modify protected system resources.

Risk Factors

TBD

Examples

Example 1

The following code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files.

	String rName = request.getParameter("reportName");
	File rFile = new File("/usr/local/apfr/reports/" + rName);
	...
	rFile.delete();

Example 2

The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt.

	fis = new FileInputStream(cfg.getProperty("sub")+".txt");
	amt = fis.read(arr);
	out.println(arr);

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

References

TBD

Credit

This article includes content generously donated to OWASP by MicroFocus Logo.png