Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Description

Path Traversal (also known as Directory Traversal) is a vulnerability that occurs when software uses external input to construct a pathname intended to identify a file or directory located underneath a restricted parent directory, but fails to properly neutralize special elements such as ".." and "/" that can cause the pathname to resolve to a location outside of the restricted directory. Attackers exploit this weakness by manipulating file path references using sequences like "../" to escape the intended directory and access arbitrary files on the system. This can lead to unauthorized reading of sensitive configuration files, source code, credentials, or even writing malicious files to the server.

Risk

Path traversal vulnerabilities pose severe risks to application security as they allow attackers to break out of the intended directory structure and access files anywhere on the file system accessible to the application. Successful exploitation can result in exposure of sensitive system files like /etc/passwd, application configuration containing database credentials, session tokens, API keys, and proprietary source code. In cases where the vulnerability allows writing files, attackers may upload webshells or overwrite critical configuration files, potentially leading to complete system compromise. These vulnerabilities are particularly dangerous in VPN appliances and network security devices where they can expose credentials for entire corporate networks.

Solution

Implement strict input validation using an allowlist of permitted filenames or path components rather than trying to block malicious sequences. Use canonical path functions to resolve paths and verify the resulting absolute path falls within the intended directory before any file operations. Avoid passing user-supplied input directly to filesystem APIs when possible; instead, use indirect references such as database IDs that map to file locations server-side. Configure the application to run with minimal file system permissions and use chroot jails or containerization to limit the accessible file system scope. Implement proper access controls at the file system level as defense in depth.

Common Consequences

Impact	Details
Confidentiality	Scope: Confidentiality Attackers can read arbitrary files from the server including configuration files, source code, credentials, encryption keys, and sensitive user data leading to information disclosure.
Integrity	Scope: Integrity If the vulnerability allows file writing, attackers can modify application files, inject malicious code, alter configuration settings, or plant backdoors on the system.
Availability	Scope: Availability Attackers could delete critical files or overwrite configuration files causing application crashes or denial of service conditions.
Access Control	Scope: Access Control By accessing credential files or session data, attackers can escalate privileges, impersonate users, or gain administrative access to systems and networks.

Example Code + Solution Code

The following example demonstrates a vulnerable PHP application that serves files based on user input without proper path validation:

Vulnerable Code

<?php
// VULNERABLE: User input directly used in file path
$filename = $_GET['file'];
$basePath = '/var/www/uploads/';

// Attacker can use: ?file=../../../etc/passwd
$filepath = $basePath . $filename;

if (file_exists($filepath)) {
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename="' . basename($filename) . '"');
    readfile($filepath);
} else {
    echo "File not found.";
}
?>

This code is vulnerable because it concatenates user input directly with the base path. An attacker can supply ../../../etc/passwd to traverse up the directory tree and access system files outside the intended uploads directory.

Fixed Code

<?php
$userInput = $_GET['file'] ?? '';
$basePath = '/var/www/uploads/';

// Remove any null bytes (poison null byte attack prevention)
$userInput = str_replace("\0", '', $userInput);

// Get the canonical absolute path
$realBase = realpath($basePath);
$requestedPath = realpath($basePath . $userInput);

// Validate the resolved path is within the allowed directory
if ($requestedPath === false) {
    http_response_code(404);
    die("File not found.");
}

if (strpos($requestedPath, $realBase) !== 0) {
    // Path escapes the base directory - reject the request
    http_response_code(403);
    error_log("Path traversal attempt detected: " . $userInput);
    die("Access denied.");
}

// Additional validation: only allow specific file extensions
$allowedExtensions = ['pdf', 'jpg', 'png', 'txt'];
$extension = strtolower(pathinfo($requestedPath, PATHINFO_EXTENSION));

if (!in_array($extension, $allowedExtensions)) {
    http_response_code(403);
    die("File type not allowed.");
}

// File is safe to serve
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="' . basename($requestedPath) . '"');
header('X-Content-Type-Options: nosniff');
readfile($requestedPath);
?>

The fixed code uses realpath() to resolve the canonical absolute path of both the base directory and the requested file. It then verifies that the resolved path starts with the base path, ensuring no traversal beyond the allowed directory occurred. Additional safeguards include null byte removal, extension whitelisting, and security headers.

Exploited in the Wild

Fortinet FortiOS SSL VPN Breach (Multiple Organizations, 2019-2021)

CVE-2018-13379, a critical path traversal vulnerability in Fortinet FortiOS SSL VPN web portal, was massively exploited starting in 2019. The vulnerability allowed unauthenticated attackers to download the sslvpn_websessions file containing usernames and plaintext passwords. In November 2020, credentials for approximately 50,000 vulnerable Fortinet VPN devices were leaked online. CISA and FBI issued a joint advisory in April 2021 warning of ongoing APT exploitation targeting government agencies and critical infrastructure.

https://www.tenable.com/blog/cve-2018-13379-cve-2019-5591-cve-2020-12812-fortinet-vulnerabilities-targeted-by-apt-actors

Pulse Secure VPN Mass Exploitation (Government & Enterprise, 2019-2021)

CVE-2019-11510, a pre-authentication path traversal vulnerability in Pulse Secure VPN appliances, was exploited extensively against U.S. government agencies, critical infrastructure, and private sector organizations. The vulnerability allowed attackers to read arbitrary files including authentication credentials. Travelex, the currency exchange company, suffered a devastating ransomware attack after criminals exploited this vulnerability to deploy REvil ransomware. Iranian state-sponsored hackers were also observed using this vulnerability to penetrate IT and telecom companies worldwide.

https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html

Atlassian Jira Service Desk Data Exposure (Atlassian Customers, 2019)

In September 2019, researchers discovered a critical path traversal vulnerability in Atlassian's Jira Service Desk Server and Data Center products. The vulnerability allowed attackers to access sensitive customer information stored in Jira installations by traversing directories to reach protected files. Given Jira's widespread use in enterprise environments for project management and issue tracking, this vulnerability potentially exposed confidential business data across numerous organizations.

https://brightsec.com/blog/directory-traversal-attack/

Tools to test/exploit

Burp Suite — professional web security testing platform with built-in path traversal payload lists in Burp Intruder for fuzzing file parameters with various encoding techniques.
dotdotpwn — the directory traversal fuzzer that automates testing for path traversal vulnerabilities across HTTP, FTP, TFTP, and other protocols with multiple encoding schemes.
OWASP ZAP — open-source security scanner with active scan rules for detecting path traversal vulnerabilities and automated fuzzing capabilities.

CVE Examples

CVE-2019-11510 — Pulse Secure VPN arbitrary file read via path traversal allowing unauthenticated access to sensitive files including cached credentials.
CVE-2018-13379 — Fortinet FortiOS SSL VPN path traversal enabling unauthenticated download of system files containing VPN session credentials.
CVE-2024-23334 — aiohttp Python library directory traversal vulnerability actively exploited by ransomware actors.
CVE-2023-32315 — Openfire XMPP server path traversal allowing unauthenticated admin account creation.

References

MITRE. "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')." Common Weakness Enumeration. https://cwe.mitre.org/data/definitions/22.html
OWASP. "Path Traversal." OWASP Foundation. https://owasp.org/www-community/attacks/Path_Traversal
PortSwigger. "What is path traversal, and how to prevent it?" Web Security Academy. https://portswigger.net/web-security/file-path-traversal
CISA. "Exploitation of Pulse Connect Secure Vulnerabilities." Cybersecurity Advisory. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-110a