Externally Controlled Reference to a Resource in Another Sphere
Description The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. Extended Description Applicable PlatformsNone Time Of Introduction
Related Attack Patterns Common Consequences
Detection MethodsNone Potential MitigationsNone RelationshipsThis is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will "follow" a symbolic link and use the link's target instead.
Demonstrative ExamplesNone White Box Definitions None Black Box Definitions None Taxynomy Mappings
References:None |