Absolute Path Traversal
Description
Absolute Path Traversal is a vulnerability that occurs when software accepts user input containing absolute file paths (paths that start from the filesystem root) without properly validating that the specified path is within an authorized directory. Unlike relative path traversal which uses sequences like "../" to navigate upward, absolute path traversal allows attackers to directly specify complete paths such as "/etc/passwd" on Unix systems or "C:\Windows\system32\config\SAM" on Windows. This vulnerability bypasses directory restrictions by ignoring any base directory the application intends to use, giving attackers direct access to any file readable by the application process.
Risk
Absolute path traversal vulnerabilities allow attackers to bypass directory restrictions entirely by specifying complete filesystem paths. This grants immediate access to sensitive system files including /etc/passwd (user accounts), /etc/shadow (password hashes on misconfigured systems), application configuration files, database credentials, private keys, and source code. The attack is particularly dangerous because it requires no directory traversal sequences that security filters might detect, making it easier to bypass naive security controls. Applications running with elevated privileges expose a larger portion of the filesystem to potential compromise. Successful exploitation can lead to credential theft, privilege escalation, and complete system compromise.
Solution
Validate all user-supplied paths against an allowlist of permitted file names or identifiers rather than accepting arbitrary paths. If file paths must be accepted, strip or reject any absolute path indicators (leading "/" on Unix or drive letters like "C:" on Windows) and ensure all paths are treated as relative to a designated base directory. After constructing the full path, use canonical path resolution to obtain the absolute form and verify it falls within allowed boundaries before performing file operations. Implement path validation on the server side as client-side checks can be easily bypassed. Deploy applications with minimal filesystem read permissions to limit exposure if the vulnerability is exploited.
Common Consequences
| Impact | Details |
|---|---|
| Confidentiality | Scope: Confidentiality Attackers can directly specify absolute paths to sensitive files, exposing configuration data, credentials, encryption keys, and proprietary source code without needing directory traversal sequences. |
| Integrity | Scope: Integrity If the vulnerability allows writing files via absolute paths, attackers can overwrite critical system configurations, inject malicious code, or modify authentication data. |
| Availability | Scope: Availability Critical system files could be deleted or corrupted through absolute path manipulation, causing system instability or complete denial of service. |
| Access Control | Scope: Access Control Direct access to credential stores, session files, or authentication configuration can enable privilege escalation and unauthorized access to protected resources. |
Example Code + Solution Code
The following example demonstrates a vulnerable Python Flask application that handles file downloads using user-supplied paths:
Vulnerable Code
from flask import Flask, request, send_file
import os
app = Flask(__name__)
DOCUMENTS_DIR = "/var/www/app/documents"
@app.route('/download')
def download_file():
# VULNERABLE: Accepts absolute paths from user input
filepath = request.args.get('path')
# Attacker can use: ?path=/etc/passwd
# The absolute path completely ignores DOCUMENTS_DIR
if os.path.exists(filepath):
return send_file(filepath)
else:
return "File not found", 404
@app.route('/read')
def read_file():
# VULNERABLE: No validation of user-supplied path
filename = request.args.get('file')
# If user supplies "/etc/passwd", this reads the system file
with open(filename, 'r') as f:
return f.read()
if __name__ == '__main__':
app.run()
Both endpoints are vulnerable because they accept user input directly as file paths. An attacker can specify "/etc/passwd" or any other absolute path to read arbitrary files accessible to the application.
Fixed Code
from flask import Flask, request, send_file, abort
import os
import re
app = Flask(__name__)
DOCUMENTS_DIR = os.path.realpath("/var/www/app/documents")
ALLOWED_EXTENSIONS = {'.pdf', '.txt', '.jpg', '.png'}
def is_safe_path(base_dir, user_path):
"""Verify the resolved path is within the base directory."""
# Reject absolute paths outright
if os.path.isabs(user_path):
return False, "Absolute paths not allowed"
# Reject obvious traversal attempts
if '..' in user_path or user_path.startswith('/'):
return False, "Invalid path characters"
# Construct the full path relative to base
full_path = os.path.join(base_dir, user_path)
# Resolve to canonical absolute path
try:
real_path = os.path.realpath(full_path)
except (OSError, ValueError):
return False, "Invalid path"
# Verify the resolved path is within base directory
if not real_path.startswith(base_dir + os.sep):
return False, "Path outside allowed directory"
# Verify file exists and is a regular file
if not os.path.isfile(real_path):
return False, "File not found"
return True, real_path
def validate_extension(filepath):
"""Check if file extension is allowed."""
ext = os.path.splitext(filepath)[1].lower()
return ext in ALLOWED_EXTENSIONS
@app.route('/download')
def download_file():
filename = request.args.get('path', '')
# Validate filename format (alphanumeric, dots, underscores, hyphens only)
if not re.match(r'^[\w\-. ]+$', filename):
abort(400, 'Invalid filename format')
# Validate path is safe
is_safe, result = is_safe_path(DOCUMENTS_DIR, filename)
if not is_safe:
app.logger.warning(f"Path traversal attempt: {filename} - {result}")
abort(403, 'Access denied')
safe_path = result
# Validate file extension
if not validate_extension(safe_path):
abort(403, 'File type not allowed')
return send_file(safe_path)
@app.route('/read')
def read_file():
filename = request.args.get('file', '')
# Validate and get safe path
is_safe, result = is_safe_path(DOCUMENTS_DIR, filename)
if not is_safe:
app.logger.warning(f"Path traversal attempt: {filename} - {result}")
abort(403, 'Access denied')
safe_path = result
# Only allow text files to be read
if not safe_path.endswith('.txt'):
abort(403, 'Only text files can be read')
with open(safe_path, 'r') as f:
return f.read()
if __name__ == '__main__':
app.run()
The fixed code explicitly rejects absolute paths using os.path.isabs(), validates that filenames contain only allowed characters, uses os.path.realpath() to resolve paths to canonical form, and verifies the resolved path starts with the base directory. Multiple layers of defense ensure protection even if one check is bypassed.
Exploited in the Wild
F5 BIG-IP Configuration File Access (Enterprise Networks, 2020-2021)
CVE-2020-5902 in F5 BIG-IP Traffic Management User Interface allowed unauthenticated attackers to access arbitrary files using absolute path traversal. Attackers could directly request sensitive files like /etc/passwd or BIG-IP configuration files containing credentials by specifying absolute paths. The vulnerability was actively exploited by ransomware operators and nation-state actors to compromise enterprise network infrastructure managing critical internet traffic.
Spring Cloud Config Arbitrary File Read (Cloud Deployments, 2020)
CVE-2020-5410 in Spring Cloud Config Server allowed attackers to read arbitrary files through directory traversal. While the vulnerability involved traversal sequences, it also accepted absolute paths when the application failed to properly restrict path resolution. Attackers targeted cloud deployments to access application.properties files containing database credentials, API keys, and other sensitive configuration data stored on Spring Cloud Config servers.
SolarWinds Serv-U Arbitrary File Read (Government & Enterprise, 2021)
CVE-2021-35211 in SolarWinds Serv-U allowed authenticated attackers to read arbitrary files by specifying absolute paths, exploited alongside CVE-2021-35215 for remote code execution. The DEV-0322 threat group (linked to China) used this vulnerability chain to target U.S. defense contractors and government agencies, accessing sensitive files containing credentials and configuration data that enabled further network penetration.
Tools to test/exploit
-
Burp Suite — web security testing platform with capabilities to test absolute path traversal by manipulating file parameters with paths like /etc/passwd and observing application responses.
-
wfuzz — web application fuzzer that can test absolute path payloads using wordlists containing common sensitive file paths for both Unix and Windows systems.
-
PayloadsAllTheThings — comprehensive repository of path traversal payloads including absolute paths for various operating systems and common target files.
CVE Examples
-
CVE-2020-5902 — F5 BIG-IP TMUI arbitrary file read and RCE via path traversal including absolute path access.
-
CVE-2020-5410 — Spring Cloud Config Server directory traversal allowing arbitrary file access through path manipulation.
-
CVE-2021-35211 — SolarWinds Serv-U arbitrary file read vulnerability exploited by nation-state actors.
-
CVE-2019-16759 — vBulletin arbitrary file inclusion via absolute path allowing remote code execution.
References
-
MITRE. "CWE-36: Absolute Path Traversal." Common Weakness Enumeration. https://cwe.mitre.org/data/definitions/36.html
-
PortSwigger. "What is path traversal, and how to prevent it?" Web Security Academy. https://portswigger.net/web-security/file-path-traversal
-
OWASP. "Testing Directory Traversal File Include." Web Security Testing Guide. https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include
-
YesWeHack. "Beyond dot dot slash: a practical guide to path traversal and arbitrary file read attacks." https://www.yeswehack.com/learn-bug-bounty/practical-guide-path-traversal-attacks