CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1987 vulnerabilities reference this CWE, most recent first.
GHSA-R44P-PJ93-6HHQ
Vulnerability from github – Published: 2022-04-30 18:15 – Updated: 2024-01-26 18:30Joe text editor follows symbolic links when creating a rescue copy called DEADJOE during an abnormal exit, which allows local users to overwrite the files of other users whose joe session crashes.
{
"affected": [],
"aliases": [
"CVE-2000-1178"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2001-01-09T05:00:00Z",
"severity": "LOW"
},
"details": "Joe text editor follows symbolic links when creating a rescue copy called DEADJOE during an abnormal exit, which allows local users to overwrite the files of other users whose joe session crashes.",
"id": "GHSA-r44p-pj93-6hhq",
"modified": "2024-01-26T18:30:28Z",
"published": "2022-04-30T18:15:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2000-1178"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/5546"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2000-11/0227.html"
},
{
"type": "WEB",
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000356"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=97500174210821\u0026w=2"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2000/20001201"
},
{
"type": "WEB",
"url": "http://www.linux-mandrake.com/en/security/MDKSA-2000-072.php3"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2000-110.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/1959"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R4RQ-CX8F-2VFH
Vulnerability from github – Published: 2022-05-17 05:52 – Updated: 2022-05-17 05:52fwb_install in fwbuilder 2.1.19 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/ssh-agent.##### temporary file.
{
"affected": [],
"aliases": [
"CVE-2008-4956"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-05T15:00:00Z",
"severity": "MODERATE"
},
"details": "fwb_install in fwbuilder 2.1.19 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/ssh-agent.##### temporary file.",
"id": "GHSA-r4rq-cx8f-2vfh",
"modified": "2022-05-17T05:52:31Z",
"published": "2022-05-17T05:52:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4956"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235809"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/496406"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/fwbuilder"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R4XG-5WRJ-C7G3
Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2025-06-09 18:31systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.
{
"affected": [],
"aliases": [
"CVE-2013-4392"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-10-28T22:55:00Z",
"severity": "LOW"
},
"details": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.",
"id": "GHSA-r4xg-5wrj-c7g3",
"modified": "2025-06-09T18:31:54Z",
"published": "2022-05-13T01:04:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4392"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=859060"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/10/01/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R54R-WMMQ-MH84
Vulnerability from github – Published: 2026-03-03 21:20 – Updated: 2026-03-23 21:51Summary
ZIP extraction in OpenClaw could be raced into writing outside the intended destination directory via parent-directory symlink rebind between validation and write.
Affected Packages / Versions
- Package:
openclaw(npm) - Vulnerable versions:
<= 2026.3.1 - Latest published vulnerable version confirmed:
2026.3.1(npm as of 2026-03-02) - Patched version:
2026.3.2(released)
Technical Details
In src/infra/archive.ts, ZIP extraction previously validated output paths, then later opened/truncated the destination path in a separate step. A local race on parent-directory symlink state could redirect the final write outside the extraction root.
The fix hardens ZIP writes by binding writes to the opened file handle identity and avoiding the pre-write truncate race path, with shared fd realpath verification in src/infra/fs-safe.ts and regression coverage in src/infra/archive.test.ts.
Fix Commit(s)
7dac9b05dd9d38dd3929637f26fa356fd8bdd107
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.1"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28483"
],
"database_specific": {
"cwe_ids": [
"CWE-367",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:20:14Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nZIP extraction in OpenClaw could be raced into writing outside the intended destination directory via parent-directory symlink rebind between validation and write.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Vulnerable versions: `\u003c= 2026.3.1`\n- Latest published vulnerable version confirmed: `2026.3.1` (npm as of 2026-03-02)\n- Patched version: `2026.3.2` (released)\n\n### Technical Details\nIn `src/infra/archive.ts`, ZIP extraction previously validated output paths, then later opened/truncated the destination path in a separate step. A local race on parent-directory symlink state could redirect the final write outside the extraction root.\n\nThe fix hardens ZIP writes by binding writes to the opened file handle identity and avoiding the pre-write truncate race path, with shared fd realpath verification in `src/infra/fs-safe.ts` and regression coverage in `src/infra/archive.test.ts`.\n\n### Fix Commit(s)\n- `7dac9b05dd9d38dd3929637f26fa356fd8bdd107`",
"id": "GHSA-r54r-wmmq-mh84",
"modified": "2026-03-23T21:51:24Z",
"published": "2026-03-03T21:20:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r54r-wmmq-mh84"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/7dac9b05dd9d38dd3929637f26fa356fd8bdd107"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind"
}
GHSA-R59X-25PH-XP4Q
Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18ltp-network-test 20060918 allows local users to overwrite arbitrary files via a symlink attack on (a) /tmp/vsftpd.conf, (b) /tmp/udp/2/, (c) /tmp/tcp/2/, (d) /tmp/udp/3/, (e) /tmp/tcp/3/, (f) /tmp/nfs_fsstress.udp.2.log, (g) /tmp/nfs_fsstress.udp.3.log, (h) /tmp/nfs_fsstress.tcp.2.log, (i) /tmp/nfs_fsstress.tcp.3.log, and (j) /tmp/nfs_fsstress.sardata temporary files, related to the (1) ftp_setup_vsftp_conf and (2) nfs_fsstress.sh scripts.
{
"affected": [],
"aliases": [
"CVE-2008-4969"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-06T15:55:00Z",
"severity": "MODERATE"
},
"details": "ltp-network-test 20060918 allows local users to overwrite arbitrary files via a symlink attack on (a) /tmp/vsftpd.conf, (b) /tmp/udp/2/*, (c) /tmp/tcp/2/*, (d) /tmp/udp/3/*, (e) /tmp/tcp/3/*, (f) /tmp/nfs_fsstress.udp.2.log, (g) /tmp/nfs_fsstress.udp.3.log, (h) /tmp/nfs_fsstress.tcp.2.log, (i) /tmp/nfs_fsstress.tcp.3.log, and (j) /tmp/nfs_fsstress.sardata temporary files, related to the (1) ftp_setup_vsftp_conf and (2) nfs_fsstress.sh scripts.",
"id": "GHSA-r59x-25ph-xp4q",
"modified": "2022-05-17T02:18:31Z",
"published": "2022-05-17T02:18:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4969"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46566"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/496411"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/ltp-network-te"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R5GJ-4C52-PR9M
Vulnerability from github – Published: 2022-05-01 23:40 – Updated: 2022-05-01 23:40The prerm script in axyl 2.1.7 allows local users to overwrite arbitrary files via a symlink attack on the axyl.conf temporary file.
{
"affected": [],
"aliases": [
"CVE-2008-1417"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-03-20T17:44:00Z",
"severity": "MODERATE"
},
"details": "The prerm script in axyl 2.1.7 allows local users to overwrite arbitrary files via a symlink attack on the axyl.conf temporary file.",
"id": "GHSA-r5gj-4c52-pr9m",
"modified": "2022-05-01T23:40:02Z",
"published": "2022-05-01T23:40:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1417"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41406"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471227"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R5Q6-7HM3-JQ89
Vulnerability from github – Published: 2022-05-17 01:39 – Updated: 2022-05-17 01:39welcome.py in xdiagnose before 2.5.2ubuntu0.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.
{
"affected": [],
"aliases": [
"CVE-2012-5355"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-10-10T18:55:00Z",
"severity": "LOW"
},
"details": "welcome.py in xdiagnose before 2.5.2ubuntu0.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.",
"id": "GHSA-r5q6-7hm3-jq89",
"modified": "2022-05-17T01:39:43Z",
"published": "2022-05-17T01:39:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5355"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ubuntu/+source/xdiagnose/+bug/1036211"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79475"
},
{
"type": "WEB",
"url": "http://osvdb.org/85882"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/50854"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1591-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R5RC-2F7J-5XX4
Vulnerability from github – Published: 2022-05-17 02:11 – Updated: 2022-05-17 02:11rlatex in AlcoveBook sgml2x 1.0.0 allows local users to overwrite arbitrary files via a symlink attack on temporary files.
{
"affected": [],
"aliases": [
"CVE-2008-6397"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-03-04T17:30:00Z",
"severity": "MODERATE"
},
"details": "rlatex in AlcoveBook sgml2x 1.0.0 allows local users to overwrite arbitrary files via a symlink attack on temporary files.",
"id": "GHSA-r5rc-2f7j-5xx4",
"modified": "2022-05-17T02:11:21Z",
"published": "2022-05-17T02:11:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6397"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44879"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496368"
},
{
"type": "WEB",
"url": "http://lists.debian.org/debian-devel/2008/08/msg00312.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/30963"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R628-MHMH-QJHW
Vulnerability from github – Published: 2021-08-03 19:00 – Updated: 2023-03-09 16:44Impact
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution
node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.
This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the node-tar directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where node-tar checks for symlinks occur.
By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.
This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
Patches
3.2.3 || 4.4.15 || 5.0.7 || 6.1.2
Workarounds
Users may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.
const tar = require('tar')
tar.x({
file: 'archive.tgz',
filter: (file, entry) => {
if (entry.type === 'SymbolicLink') {
return false
} else {
return true
}
}
})
Users are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "tar"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "tar"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.4.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "tar"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "tar"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-32803"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-03T18:59:57Z",
"nvd_published_at": "2021-08-03T19:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\n`node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created.\n\nThis logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur.\n\nBy first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\n\nThis issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.\n\n### Patches\n\n3.2.3 || 4.4.15 || 5.0.7 || 6.1.2\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom `filter` method which prevents the extraction of symbolic links.\n\n```js\nconst tar = require(\u0027tar\u0027)\n\ntar.x({\n file: \u0027archive.tgz\u0027,\n filter: (file, entry) =\u003e {\n if (entry.type === \u0027SymbolicLink\u0027) {\n return false\n } else {\n return true\n }\n }\n})\n```\n\nUsers are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.",
"id": "GHSA-r628-mhmh-qjhw",
"modified": "2023-03-09T16:44:57Z",
"published": "2021-08-03T19:00:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32803"
},
{
"type": "WEB",
"url": "https://github.com/isaacs/node-tar/commit/46fe35083e2676e31c4e0a81639dce6da7aaa356"
},
{
"type": "WEB",
"url": "https://github.com/isaacs/node-tar/commit/5987d9a41f6bfbf1ddab1098e1fdcf1a5618f571"
},
{
"type": "WEB",
"url": "https://github.com/isaacs/node-tar/commit/85d3a942b4064e4ff171f91696fced7975167349"
},
{
"type": "WEB",
"url": "https://github.com/isaacs/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20"
},
{
"type": "WEB",
"url": "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"type": "PACKAGE",
"url": "https://github.com/isaacs/node-tar"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1771"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/tar"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning"
}
GHSA-R65Q-QPW9-V3QF
Vulnerability from github – Published: 2024-03-21 00:30 – Updated: 2024-03-21 00:30Xbox Gaming Services Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-28916"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-21T00:15:09Z",
"severity": "HIGH"
},
"details": "Xbox Gaming Services Elevation of Privilege Vulnerability",
"id": "GHSA-r65q-qpw9-v3qf",
"modified": "2024-03-21T00:30:56Z",
"published": "2024-03-21T00:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28916"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28916"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.