CWE
Home > CWE List > CWE-147 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-147 Individual Dictionary Definition (Draft 9)

Failure to Sanitize Input Terminators
Weakness ID
Status: Draft

147 (Weakness Variant)

Description

Summary

Terminators injected into the software through input can be used to compromise a system. Example: a "." in SMTP signifies the end of mail message data, whereas a null character can be used for the end of a string.

Potential Mitigations

Developers should anticipate that terminators will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and white lists to ensure only valid, expected and appropriate input is processed by the system.

Observed Examples
ReferenceDescription
CVE-2000-0319MFV. mail server does not properly identify terminator string to signify end of message, causing corruption, possibly in conjunction with off-by-one error.
CVE-2000-0320MFV. mail server does not properly identify terminator string to signify end of message, causing corruption, possibly in conjunction with off-by-one error.
CVE-2001-0996Mail server does not quote end-of-input terminator if it appears in the middle of a message.
CVE-2002-0001Improperly terminated comment or phrase allows commands.
Relationships
NatureTypeIDName
ChildOfWeakness ClassWeakness ClassWeakness Class138Failure to Sanitize Special Elements
CanAlsoBeWeakness BaseWeakness BaseWeakness Base170Improper Null Termination
Source Taxonomies

PLOVER - Input Terminator

Applicable Platforms

All

Back to top
Page Last Updated: April 21, 2008
 

CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us