1. Home
  2. CWE Database
  3. CWE-66
Base · Medium

CWE-66: Improper Handling of File Names that Identify Virtual Resources

The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing t...

CWE-66 · Base Level ·3 CVEs

Description

The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.

Virtual file names are represented like normal file names, but they are effectively aliases for other resources that do not behave like normal files. Depending on their functionality, they could be alternate entities. They are not necessarily listed in directories.

Potential Impact

Other

Other

Demonstrative Examples

Consider a web server that uses the Apple HFS+ file system. It interprets FILE.cgi as processing instructions.
An adversary could request "FILE.cgi/..namedfork/data" to prevent FILE.cgi from being executed, instead disclosing the source code for FILE.cgi. This might occur because the web server invokes the default handler which may return the contents of the file.

Detection Methods

  • Automated Static Analysis - Binary or Bytecode SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Manual Static Analysis - Binary or Bytecode SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Dynamic Analysis with Automated Results Interpretation SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Dynamic Analysis with Manual Results Interpretation SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Manual Static Analysis - Source Code High — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Automated Static Analysis - Source Code SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:

Real-World CVE Examples

CVE IDDescription
CVE-1999-0278In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.
CVE-2004-1084Server allows remote attackers to read files and resource fork content via HTTP requests to certain special file names related to multiple data streams in HFS+.
CVE-2002-0106Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.

CWE-706: Use of Incorrectly-Resolved Name or Reference

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside...

Taxonomy Mappings

  • PLOVER: — Virtual Files

Frequently Asked Questions

What is CWE-66?

CWE-66 (Improper Handling of File Names that Identify Virtual Resources) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing t...

How can CWE-66 be exploited?

Attackers can exploit CWE-66 (Improper Handling of File Names that Identify Virtual Resources) to other. This weakness is typically introduced during the Implementation, Operation phase of software development.

How do I prevent CWE-66?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-66?

CWE-66 is classified as a Base-level weakness (Medium abstraction). It has been observed in 3 real-world CVEs.