Downloads:
Back to the previous page
| Test Case ID |  156816 |
| Bad / Good / Mixed | Bad |
| Author | IARPA STONESOUP Test and Evaluation team |
| Associations | Test suite: 102 Application: 12 |
| Added by | Charles Oliveira |
| Language | Java |
| Type of test case | Source Code |
| Input string | |
| Expected Output | |
| Instructions | See src/build.xml. |
| Submission date | 2015-10-06 |
| Description | The software uses external input to construct a pathname that should be within a restricted directory, but it does not neutralize absolute path sequences such as '/abs/path' that can resolve to a location that is outside of that directory. This test takes in a filename to read. Since the provided filename isn't checked to ensure it doesn't contain an absolute path, it allows reading of any file on the system. Metadata - Base program: Apache JMeter - Source Taint: SOCKET - Data Type: SIMPLE - Data Flow: BASIC - Control Flow: SEQUENCE |
| File(s) |
|
| Flaw |
There are no comments
Have any comments on this test case? Please,
.
- GenericController.java
- service_mon.sh
- http-test.jmx
- http-test.jmx
- http-test.jmx
- runFifos.py
- http-test.jtl
- J-C036A-JMET-01-ST03-DT02-DF11-CF20-01.xml
- J-C036A-JMET-01-ST03-DT02-DF11-CF20-01.yaml
File Contains:
CWE-036: Absolute Path Traversal on line(s): 622, 623, 624, 625, 626
CWE-036: Absolute Path Traversal on line(s): 622, 623, 624, 625, 626