How to Fix CWE-73? External Control of Filename

What is CWE 73?

CWE, or Common Weakness Enumeration 73, occurs when an unauthorized user gains external access to control a file in your system. CWE provides a standardized language and classification system to help identify, understand, and mitigate vulnerabilities in software and systems.

External Control of Filename or Path is a vulnerability that occurs when an application allows an external entity to influence the selection of a file or directory location within the system. In this scenario, user input, data from external sources, or other untrusted entities determine the filename or path.

Attackers can exploit this vulnerability by manipulating the filename or path to gain unauthorized access to sensitive files, overwrite or delete critical data, execute arbitrary code, or perform other malicious actions. This can lead to severe consequences such as unauthorized data disclosure, compromise, or complete system failure.

There are two reported CVEs related to CWE 73.

1. CVE-2008-5748

The BloofoxCMS 0.3.4 version has a vulnerability that allows attackers to read any file on the system by manipulating the lang, theme, and module parameters in the plugins/spaw2/dialogs/dialog.php file.

2. CVE-2008-5764

When using WorkSimple 1.2.1 with register_globals enabled, a vulnerability in the calendar.php file allows attackers to execute arbitrary PHP code by providing a URL in the lang parameter.

Examples of CWE 73

Consider this example: Imagine this snippet is part of the code for your institution’s web application. This code takes your name and loads the institution’s system’s data about you.

<form> 
<label for="fileName">Enter Your Name:</label> 
<input type="text" id="fileName" name="fileName">
<input type="submit" value="Save">
</form>

It stores your name in ‘fileName’.
This is the backend Java code that actually accesses the system’s files to look for the data.

public class FileLoader {
    public static void main(String[] args) throws IOException {
        String fileName = fileName;
        File file = new File("I:\YourInstitution\UserData\" + fileName+”.txt”);
        BufferedReader reader = new BufferedReader(new FileReader(file));
        String line;
        while ((line = reader.readLine()) != null) {
            System.out.println(line);
        }
        reader.close();
    }
}

Here, if the user just typed in their name on the website, say Tom Cruise, the file being accessed would be
I:\YourInstitution\UserData\Tom Cruise.”txt”

And your data would be displayed.

However, since the user input is not being validated and sanitised, a user could type in someone else’s name and access their file. Worse yet, in case a hacker finds out your institution is using a Java Script, they could enter the below snippet instead of a name at all
..\secret-files\confidential.txt

And the file name would be 
I:\YourInstitution\UserData\..\secret-files\confidential.txt

The ../ in the file name represents the parent directory, allowing the user to traverse up the directory hierarchy and potentially access files outside of the intended directory.

By combining ../ with additional directory traversal patterns, an attacker could manipulate the file path and access files in different directories they are not authorized to access. This poses a security risk and can lead to unauthorized access or exposure to sensitive information.

Mitigation strategies against CWE 73

CWE-73, or External Control of Filename or Path, poses significant risks and potential impact on the security and integrity of software systems.

An attacker can traverse directories, access sensitive files, or even overwrite critical system files by injecting malicious input. This can result in the unauthorized disclosure of sensitive information, system compromise, data loss, or disruption of services. 

Organizations must address this vulnerability promptly and implement appropriate mitigation measures to protect their systems and data from exploitation. Below are some of the most effective remediation strategies.

Mapping 

One effective approach is to implement a mapping system that restricts the input values for filenames to a predefined set.

Organizations can ensure that only valid and authorized inputs are accepted by creating a mapping between fixed input values, such as numeric IDs, and the corresponding filenames. For instance, specific IDs can be mapped to specific filenames, such as ID 1 mapping to "Tom Cruise.txt" and ID 2 mapping to "Tom Hanks.txt".

Sandboxing

Implementing technologies such as the Unix chroot jail or AppArmor can provide this sandboxing capability. By confining the execution environment to a restricted directory, the impact of directory traversal attacks can be limited to that specific directory. This helps mitigate the risk of unauthorized access to sensitive files outside the designated boundaries.

Good Read: Enhancing Mobile App Security through Sandboxing & Isolation

Input validation

Adopting a security mindset that assumes all input is potentially malicious is crucial. Employ an "accept known good" strategy by defining a list of acceptable inputs strictly following specifications. Reject or transform any input that deviates from these specifications.

When performing input validation, consider various properties such as input length, type, range of acceptable values, consistency, syntax, and conformance to business rules. It is essential to validate all relevant aspects and not solely rely on searching for explicitly malicious or malformed inputs. Utilise denylists to detect potential attacks or identify inputs that are so malformed that they should be outright rejected.

Avoid relying solely on filtering mechanisms that remove potentially dangerous characters. Such approaches, akin to deny lists, may be incomplete or prone to errors. For instance, filtering "/" may be insufficient if "\" is a valid directory separator. Additionally, be cautious of filtering techniques that still result in dangerous data. For example, sequential removal of "../" sequences may leave behind the "../" string in the remaining characters.

Testing

At the end of the day, manual analysis, like penetration testing, is the best option. Testers look through the eyes of threat actors who could later exploit these vulnerabilities and determine the level of risk behind them. The records and understanding of the testers after a successful ethical hack can be used to later model an effective automated sieve that only allows benign requests and safeguards your software or website against CWE 73.

Conclusion

In conclusion, CWE-73, which involves external control of filenames or paths, poses significant risks to software applications and must be addressed with the utmost attention. Hackers can exploit this vulnerability by manipulating input data to gain unauthorized access to files or execute arbitrary code, potentially leading to data breaches, system compromise, and unauthorized activities.

The potential harm caused by CWE-73 emphasizes the critical importance of implementing effective mitigation strategies. Organizations can significantly reduce the risk associated with this vulnerability by following the recommended measures.

Overall, mitigating CWE-73 requires a proactive and comprehensive approach involving secure coding practices, proper input validation, access controls, and continuous monitoring. By prioritizing security and following these best practices, organizations can enhance the resilience of their systems, safeguard sensitive data, and protect against external control of filenames or paths.

How can Appknox help in fixing CWE-73?

Appknox's mobile-focused vulnerability assessment tool helps to surface unknown vulnerabilities with the expertise of our white-hat penetration testers. 

Our end-to-end penetration testing lets you discover critical risks in your applications, such as CWE 73 and hundreds of others. Besides, our white-hat security experts customize penetration tests to align with your unique business needs and focus on critical areas for maximum impact.

With real-time insights on an intuitive dashboard, you can now avoid false positives and negatives, empowering informed decision-making.

Book a demo with us to learn more.

Book your demo now!

Frequently Asked Questions (FAQs)

1. What is the severity of External Control of Filename or Path?

CWE-78, or external control of filename or path, is a highly severe vulnerability. The CVSS score for CWE 73 is 7.5.

2. What is the impact of External Control of File Name or Path?

CWE-73, External Control of Filename or Path, poses risks of unauthorized access, data loss, and system compromise. Attackers can manipulate input to traverse directories, access sensitive files, or overwrite critical system files.

3. Are there any specific programming languages or frameworks more susceptible to this vulnerability?

No specific language or framework is immune to this vulnerability. It can arise in various environments and programming languages if proper security practices are not followed.

4. How can the External Control of Filename or Path be prevented?

Regular security testing and code reviews conducted by industry professionals can prevent CWE 73. In addition, using secure APIs, implementing strict input validation, using a whitelist of allowed inputs, and applying proper access controls can be instrumental in safeguarding against CWE 73.