Description
The product accepts input that contains a drive letter or Windows volume letter ('C:dirname') that potentially redirects access to an unintended location or arbitrary file.
Potential Impact
Integrity, Confidentiality, Availability
Execute Unauthorized Code or Commands
Integrity
Modify Files or Directories
Confidentiality
Read Files or Directories
Availability
DoS: Crash, Exit, or Restart
Mitigations & Prevention
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Detection Methods
- Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2001-0038 | Remote attackers can read arbitrary files by specifying the drive letter in the requested URL. |
| CVE-2001-0255 | FTP server allows remote attackers to list arbitrary directories by using the "ls" command and including the drive letter name (e.g. C:) in the requested pathname. |
| CVE-2001-0687 | FTP server allows a remote attacker to retrieve privileged system information by specifying arbitrary paths. |
| CVE-2001-0933 | FTP server allows remote attackers to list the contents of arbitrary drives via a ls command that includes the drive letter as an argument. |
| CVE-2002-0466 | Server allows remote attackers to browse arbitrary directories via a full pathname in the arguments to certain dynamic pages. |
| CVE-2002-1483 | Remote attackers can read arbitrary files via an HTTP request whose argument is a filename of the form "C:" (Drive letter), "//absolute/path", or ".." . |
| CVE-2004-2488 | FTP server read/access arbitrary files using "C:\" filenames |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — 'C:dirname' or C: (Windows volume or 'drive letter')
- CERT C Secure Coding: FIO05-C — Identify files using multiple file attributes
- Software Fault Patterns: SFP16 — Path Traversal
Frequently Asked Questions
What is CWE-39?
CWE-39 (Path Traversal: 'C:dirname') is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product accepts input that contains a drive letter or Windows volume letter ('C:dirname') that potentially redirects access to an unintended location or arbitrary file.
How can CWE-39 be exploited?
Attackers can exploit CWE-39 (Path Traversal: 'C:dirname') to execute unauthorized code or commands. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-39?
Key mitigations include: Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not stric
What is the severity of CWE-39?
CWE-39 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 7 real-world CVEs.