CWE
Home > CWE List > CWE-155 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-155 Individual Dictionary Definition (Draft 9)

Failure to Sanitize Wildcard or Matching Symbol
Weakness ID
Status: Draft

155 (Weakness Variant)

Description

Summary

Wildcard or matching elements (e.g. '*') injected into an application through input can be used to compromise a system. As data is parsed, an injected element may cause the process to take unexpected actions.

Potential Mitigations

Developers should anticipate that wildcard or matching elements will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and white lists to ensure only valid, expected and appropriate input is processed by the system.

Observed Examples
ReferenceDescription
CVE-2002-0433Bypass file restrictions using wildcard character.
CVE-2002-1010Bypass file restrictions using wildcard character.
CVE-2001-0334Wildcards generate long string on expansion.
CVE-2004-1962SQL injection involving "/**/" sequences.
Research Gaps

Under-studied.

Relationships
NatureTypeIDName
ChildOfWeakness ClassWeakness ClassWeakness Class138Failure to Sanitize Special Elements
Source Taxonomies

PLOVER - Wildcard or Matching Element

Applicable Platforms

All

Back to top
Page Last Updated: April 21, 2008
 

CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us