CWE-66
Improper Handling of File Names that Identify Virtual Resources
Draft
2006-07-19
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Notificaciones para un CWE
Manténgase informado sobre cualquier cambio en un CWE específico.
Nombre: Improper Handling of File Names that Identify Virtual Resources
The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.
Descripción CWE
Virtual file names are represented like normal file names, but they are effectively aliases for other resources that do not behave like normal files. Depending on their functionality, they could be alternate entities. They are not necessarily listed in directories.
Informaciones generales
Modos de introducción
ImplementationOperation
Plataformas aplicables
Lenguaje
Class: Not Language-Specific (Undetermined)Consecuencias comunes
| Alcance | Impacto | Probabilidad |
|---|---|---|
| Other | Other |
Ejemplos observados
| Referencias | Descripción |
|---|---|
CVE-1999-0278 | In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL. |
CVE-2004-1084 | Server allows remote attackers to read files and resource fork content via HTTP requests to certain special file names related to multiple data streams in HFS+. |
CVE-2002-0106 | Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name. |
Métodos de detección
Automated Static Analysis - Binary or Bytecode
Efectividad : SOAR PartialManual Static Analysis - Binary or Bytecode
Efectividad : SOAR PartialDynamic Analysis with Automated Results Interpretation
Efectividad : SOAR PartialDynamic Analysis with Manual Results Interpretation
Efectividad : SOAR PartialManual Static Analysis - Source Code
Efectividad : HighAutomated Static Analysis - Source Code
Efectividad : SOAR PartialArchitecture or Design Review
Efectividad : HighNotas de mapeo de vulnerabilidades
Justificación : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Comentario : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Referencias
REF-1479
State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and EvaluationGregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx
Envío
| Nombre | Organización | Fecha | Fecha de lanzamiento | Version |
|---|---|---|---|---|
| PLOVER | Draft 3 |
Modificaciones
| Nombre | Organización | Fecha | Comentario |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Description, Relationships, Taxonomy_Mappings, Type | |
| CWE Content Team | MITRE | updated Description, Name | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Detection_Factors, Relationships | |
| CWE Content Team | MITRE | updated Affected_Resources, Applicable_Platforms, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Observed_Examples | |
| CWE Content Team | MITRE | updated Detection_Factors, References | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Weakness_Ordinalities |
