1. Home
  2. CWE Database
  3. CWE-36
Base · Medium

CWE-36: Absolute Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve t...

CWE-36 · Base Level ·18 CVEs ·3 Mitigations

Description

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.

Potential Impact

Integrity, Confidentiality, Availability

Execute Unauthorized Code or Commands

Integrity

Modify Files or Directories

Confidentiality

Read Files or Directories

Availability

DoS: Crash, Exit, or Restart

Demonstrative Examples

In the example below, the path to a dictionary file is read from a system property and used to initialize a File object.
Bad
String filename = System.getProperty("com.domain.application.dictionaryFile");File dictionaryFile = new File(filename);
However, the path is not validated or modified to prevent it from containing relative or absolute path sequences before creating the File object. This allows anyone who can control the system property to determine what file is used. Ideally, the path should be resolved relative to some kind of application or user home directory.
This script intends to read a user-supplied file from the current directory. The user inputs the relative path to the file and the script uses Python's os.path.join() function to combine the path to the current working directory with the provided path to the specified file. This results in an absolute path to the desired file. If the file does not exist when the script attempts to read it, an error is printed to the user.
Bad
import os
                  import sys
                  def main():
                     
                     filename = sys.argv[1]
                     path = os.path.join(os.getcwd(), filename)
                     try:
                        
                        with open(path, 'r') as f:
                           
                           file_data = f.read()
                           
                        
                     except FileNotFoundError as e:
                        
                        print("Error - file not found")
                        
                     
                  main()
However, if the user supplies an absolute path, the os.path.join() function will discard the path to the current working directory and use only the absolute path provided. For example, if the current working directory is /home/user/documents, but the user inputs /etc/passwd, os.path.join() will use only /etc/passwd, as it is considered an absolute path. In the above scenario, this would cause the script to access and read the /etc/passwd file.
Good
import os
                     import sys
                     def main():
                     
                       filename = sys.argv[1]
                       path = os.path.normpath(f"{os.getcwd()}{os.sep}{filename}")
		       if path.startswith("/home/cwe/documents/"):
		       
			 try:
			 
                           with open(path, 'r') as f:
                           
                             file_data = f.read()
                           
			 
			 except FileNotFoundError as e:
			 
                           print("Error - file not found")
			 
                       
		     
                     main()
The constructed path string uses os.sep to add the appropriate separation character for the given operating system (e.g. '\' or '/') and the call to os.path.normpath() removes any additional slashes that may have been entered - this may occur particularly when using a Windows path. The path is checked against an expected directory (/home/cwe/documents); otherwise, an attacker could provide relative path sequences like ".." to cause normpath() to generate paths that are outside the intended directory (CWE-23). By putting the pieces of the path string together in this fashion, the script avoids a call to os.path.join() and any potential issues that might arise if an absolute path is entered. With this version of the script, if the current working directory is /home/cwe/documents, and the user inputs /etc/passwd, the resulting path will be /home/cwe/documents/etc/passwd. The user is therefore contained within the current working directory as intended.

Mitigations & Prevention

Implementation High

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat

Implementation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Operation Moderate

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2024-0520Product for managing datasets for AI model training and evaluation allows both relative (CWE-23) and absolute (CWE-36) path traversal to overwrite files via the Content-Disposition header
CVE-2022-31503Python package constructs filenames using an unsafe os.path.join call on untrusted input, allowing absolute path traversal because os.path.join resets the pathname to an absolute path that is specifie
CVE-2002-1345Multiple FTP clients write arbitrary files via absolute paths in server responses
CVE-2001-1269ZIP file extractor allows full path
CVE-2002-1818Path traversal using absolute pathname
CVE-2002-1913Path traversal using absolute pathname
CVE-2005-2147Path traversal using absolute pathname
CVE-2000-0614Arbitrary files may be overwritten via compressed attachments that specify absolute path names for the decompressed output.
CVE-1999-1263Mail client allows remote attackers to overwrite arbitrary files via an e-mail message containing a uuencoded attachment that specifies the full pathname for the file to be modified.
CVE-2003-0753Remote attackers can read arbitrary files via a full pathname to the target file in config parameter.
CVE-2002-1525Remote attackers can read arbitrary files via an absolute pathname.
CVE-2001-0038Remote attackers can read arbitrary files by specifying the drive letter in the requested URL.
CVE-2001-0255FTP server allows remote attackers to list arbitrary directories by using the "ls" command and including the drive letter name (e.g. C:) in the requested pathname.
CVE-2001-0933FTP server allows remote attackers to list the contents of arbitrary drives via a ls command that includes the drive letter as an argument.
CVE-2002-0466Server allows remote attackers to browse arbitrary directories via a full pathname in the arguments to certain dynamic pages.

Showing 15 of 18 observed examples.

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located...

Taxonomy Mappings

  • PLOVER: — Absolute Path Traversal
  • Software Fault Patterns: SFP16 — Path Traversal

Frequently Asked Questions

What is CWE-36?

CWE-36 (Absolute Path Traversal) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve t...

How can CWE-36 be exploited?

Attackers can exploit CWE-36 (Absolute Path Traversal) to execute unauthorized code or commands. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-36?

Key mitigations include: Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not stric

What is the severity of CWE-36?

CWE-36 is classified as a Base-level weakness (Medium abstraction). It has been observed in 18 real-world CVEs.