﻿id	summary	reporter	owner	description	type	status	component	version	resolution	keywords	cc	guest	host
14153	Backslash recognised as path separator on Linux guests in shared folders	colml		"While security testing a PHP web application that uses the basename() function to prevent directory traversal attacks I discovered that backslashes are recognised as valid path separators on Linux guests when working in shared folders. The host is running on Windows.

As basename() on Linux does not strip backslashes directory traversal is possible (i.e. passing {{{..\\..\\..\\target\\securefile}}}).

The can be tested in bash by changing the current directory ({{{cd ..\\}}}) or referencing another file ({{{cat ..\\file.txt}}}).

Tested on a Ubuntu 14.04 guest with the latest guest additions installed via apt-get. I have not tested on other hosts or guests.

It's possible this behaviour is intentional, but it does allow security breaches in certain cases. 
"	defect	closed	shared folders	VirtualBox 4.3.28	fixed	backslash path security		Linux	Windows
