[Forgot Password]
Login  Register Subscribe

23631

 
 

115038

 
 

96078

 
 

909

 
 

78009

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Improper Handling of Apple HFS+ Alternate Data Stream Path

ID: 72Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Variant





Description

The software does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system.

Extended Description

If the software chooses actions to take based on the file name, then if an attacker provides the data or resource fork, the software may take unexpected actions. Further, if the software intends to restrict access to a file, then an attacker might still be able to bypass intended access restrictions by requesting the data or resource fork for that file.

Applicable Platforms
Language Class: All
Operating System Class: Mac OS

Time Of Introduction

  • Architecture and Design
  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
Integrity
 
Read files or directories
Modify files or directories
 
 

Detection Methods
None

Potential Mitigations
None

Relationships

Related CWETypeViewChain
CWE-72 ChildOf CWE-893 Category CWE-888  

Demonstrative Examples   (Details)

  1. A web server that interprets FILE.cgi as processing instructions could disclose the source code for FILE.cgi by requesting FILE.cgi/..namedfork/data. This might occur because the web server invokes the default handler which may return the contents of the file.

Observed Examples

  1. CVE-2004-1084 : Server allows remote attackers to read files and resource fork content via HTTP requests to certain special file names related to multiple data streams in HFS+.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Apple HFS+ alternate data stream
 
 

References:

  1. .. Apple Inc..

© 2013 SecPod Technologies