CAPEC-CAPEC-597 - CERT CVE
Naziv

Absolute Path Traversal

Sažetak An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as ".." to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.
Preduvjeti The target must leverage and access an underlying file system.
Rješenja ['Design: Configure the access control correctly.', 'Design: Enforce principle of least privilege.', 'Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution.', 'Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement.', 'Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host.', 'Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.', 'Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin.', 'Implementation: Perform input validation for all remote content, including remote and user-generated content.', 'Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.', 'Implementation: Use indirect references rather than actual file names.', 'Implementation: Use possible permissions on file access when developing and deploying web applications.', 'Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification using an allowlist approach.']