Description
The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
Potential Impact
Access Control
Bypass Protection Mechanism
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2000-1114 | Source code disclosure using trailing dot |
| CVE-2002-1986 | Source code disclosure using trailing dot |
| CVE-2004-2213 | Source code disclosure using trailing dot |
| CVE-2005-3293 | Source code disclosure using trailing dot |
| CVE-2004-0061 | Bypass directory access restrictions using trailing dot in URL |
| CVE-2000-1133 | Bypass directory access restrictions using trailing dot in URL |
| CVE-2001-1386 | Bypass check for ".lnk" extension using ".lnk." |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Trailing Dot - 'filedir.'
- Software Fault Patterns: SFP16 — Path Traversal
Frequently Asked Questions
What is CWE-42?
CWE-42 (Path Equivalence: 'filename.' (Trailing Dot)) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to...
How can CWE-42 be exploited?
Attackers can exploit CWE-42 (Path Equivalence: 'filename.' (Trailing Dot)) to bypass protection mechanism. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-42?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-42?
CWE-42 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 7 real-world CVEs.