This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Relative Path Traversal"
From OWASP
Weilin Zhong (talk | contribs) |
|||
| Line 1: | Line 1: | ||
| + | {{Template:Attack}} | ||
| − | + | This attack is a variant of Path Traversal and can be exploited when the application accepts the use of relative traversal sequences such as "../". | |
| − | + | More detailed information can be found on [[Path_Traversal]] | |
==Examples == | ==Examples == | ||
| + | |||
| + | The following URLs are vulnerable to this attack: | ||
| + | |||
| + | <nowiki> http://some_site.com.br/get-files.jsp?file=report.pdf </nowiki> | ||
| + | <nowiki> http://some_site.com.br/get-page.php?home=aaa.html </nowiki> | ||
| + | <nowiki> http://some_site.com.br/some-page.asp?page=index.html </nowiki> | ||
| + | |||
| + | A simple way to execute this attack is like this: | ||
| + | |||
| + | <nowiki> http://some_site.com.br/get-files?file=../../../../some dir/some file </nowiki> | ||
| + | <nowiki> http://some_site.com.br/../../../../etc/shadow </nowiki> | ||
| + | <nowiki> http://some_site.com.br/get-files?file=../../../../etc/passwd </nowiki> | ||
| + | |||
==Related Threats== | ==Related Threats== | ||
| + | {{Template:Stub}} | ||
| + | |||
| + | [[: Category: Information Disclosure]] | ||
| + | |||
==Related Attacks== | ==Related Attacks== | ||
| + | *[[Path Manipulation]] | ||
| + | *[[ Path Traversal]] | ||
| + | *[[ Resource Injection]] | ||
| + | |||
==Related Vulnerabilities== | ==Related Vulnerabilities== | ||
| + | [[:Category:Input Validation Vulnerability]] | ||
| + | |||
==Related Countermeasures== | ==Related Countermeasures== | ||
| + | [[:Category:Input Validation]] | ||
| + | |||
==Categories== | ==Categories== | ||
| + | {{Template:Stub}} | ||
| − | + | [[Category: Resource Manipulation]] | |
Revision as of 14:16, 27 July 2007
- This is an Attack. To view all attacks, please see the Attack Category page.
This attack is a variant of Path Traversal and can be exploited when the application accepts the use of relative traversal sequences such as "../".
More detailed information can be found on Path_Traversal
Examples
The following URLs are vulnerable to this attack:
http://some_site.com.br/get-files.jsp?file=report.pdf http://some_site.com.br/get-page.php?home=aaa.html http://some_site.com.br/some-page.asp?page=index.html
A simple way to execute this attack is like this:
http://some_site.com.br/get-files?file=../../../../some dir/some file http://some_site.com.br/../../../../etc/shadow http://some_site.com.br/get-files?file=../../../../etc/passwd
Related Threats
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page. Category: Information Disclosure
Related Attacks
Related Vulnerabilities
Category:Input Validation Vulnerability
Related Countermeasures
Categories
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.
