[Forgot Password]
Login  Register Subscribe












Paid content will be excluded from the download.

Download | Alert*
view XML

UNIX Symbolic Link (Symlink) Following

ID: 61Date: (C)2012-05-14   (M)2012-11-08
Type: compound elementStatus: INCOMPLETE
Abstraction Type: Variant


The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

Likelihood of Exploit: High to Very High

Applicable Platforms
Language Class: All

Time Of Introduction

  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Read files or directories
Modify files or directories

Detection Methods

Potential Mitigations

 Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.
Architecture and Design
Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.


Related CWETypeViewChain
CWE-61 Requires CWE-275 Category CWE-1000  

Demonstrative Examples

Observed Examples

  1. CVE-1999-1386 : Some versions of Perl follows symbolic links when running with the -e option, which allows local users to overwrite arbitrary files via a symlink attack.
  2. CVE-2000-1178 : Text editor follows symbolic links when creating a rescue copy during an abnormal exit, which allows local users to overwrite the files of other users.
  3. CVE-2004-0217 : Antivirus update allows local users to create or append to arbitrary files via a symlink attack on a logfile.
  4. CVE-2003-0517 : Symlink attack allows local users to overwrite files.
  5. CVE-2004-0689 : Possible interesting example
  6. CVE-2005-1879 : Second-order symlink vulnerabilities
  7. CVE-2005-1880 : Second-order symlink vulnerabilities
  8. CVE-2005-1916 : Symlink in Python program
  9. CVE-2000-0972 : Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails.
  10. CVE-2005-0824 : Signal causes a dump that follows symlinks.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions

Black Box Definitions

Taxynomy Mappings

PLOVER  UNIX symbolic link following


  1. Steve Christey .Second-Order Symlink Vulnerabilities. Bugtraq. 2005-06-07.
  2. Shaun Colley .Crafting Symlinks for Fun and Profit. Infosec Writers Text Library. 2004-04-12.
  3. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 9, "Symbolic Link Attacks", Page 518.'. Published on 2006.

© SecPod Technologies