Description
The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
Potential Impact
Confidentiality, Integrity
Read Files or Directories, Modify Files or Directories
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2002-1483 | Read files with full pathname using multiple internal slash. |
| CVE-1999-1456 | Server allows remote attackers to read arbitrary files via a GET request with more than one leading / (slash) character in the filename. |
| CVE-2004-0578 | Server allows remote attackers to read arbitrary files via leading slash (//) characters in a URL request. |
| CVE-2002-0275 | Server allows remote attackers to bypass authentication and read restricted files via an extra / (slash) in the requested URL. |
| CVE-2004-1032 | Product allows local users to delete arbitrary files or create arbitrary empty files via a target filename with a large number of leading slash (/) characters. |
| CVE-2002-1238 | Server allows remote attackers to bypass access restrictions for files via an HTTP request with a sequence of multiple / (slash) characters such as http://www.example.com///file/. |
| CVE-2004-1878 | Product allows remote attackers to bypass authentication, obtain sensitive information, or gain access via a direct request to admin/user.pl preceded by // (double leading slash). |
| CVE-2005-1365 | Server allows remote attackers to execute arbitrary commands via a URL with multiple leading "/" (slash) characters and ".." sequences. |
| CVE-2000-1050 | Access directory using multiple leading slash. |
| CVE-2001-1072 | Bypass access restrictions via multiple leading slash, which causes a regular expression to fail. |
| CVE-2004-0235 | Archive extracts to arbitrary files using multiple leading slash in filenames in the archive. |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — //multiple/leading/slash ('multiple leading slash')
- Software Fault Patterns: SFP16 — Path Traversal
Frequently Asked Questions
What is CWE-50?
CWE-50 (Path Equivalence: '//multiple/leading/slash') is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to t...
How can CWE-50 be exploited?
Attackers can exploit CWE-50 (Path Equivalence: '//multiple/leading/slash') to read files or directories, modify files or directories. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-50?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-50?
CWE-50 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 11 real-world CVEs.