|
|
|
|
CWE-178 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Incomplete 178 (Weakness Base) | | Description | Summary Improperly handled case sensitive data can lead to several possible consequences,
including: - case-insensitive passwords reducing the size of the key space, making brute force
attacks easier - bypassing filters or access controls using alternate names - multiple
interpretation errors using alternate names. | | Functional Area | File Processing, Credentials | | Affected Resource | File/Directory | | Potential Mitigations | Avoid making decisions based on names of resources (e.g. files) if those resources can
have alternate names. Assume all input is malicious. Use an appropriate combination of black lists and white
lists to ensure only valid, expected and appropriate input is processed by the system. For
example, valid input may be in the form of an absolute pathname(s). You can also limit
pathnames to exist on selected drives, have the format specified to include only separator
characters (forward or backward slashes) and alphanumeric characters, and follow a naming
convention such as having a maximum of 32 characters followed by a '.' and ending with
specified extensions. Canonicalize the name to match that of the file system's representation of the name.
This can sometimes be achieved with an available API (e.g. in Win32 the GetFullPathName
function). | | Observed Examples | | | Research Gaps | These are probably under-studied in Windows and Mac environments, where file names are
case-insensitive and thus are subject to equivalence manipulations involving case. | | Relationships | | | Source Taxonomies | PLOVER - Case Sensitivity (lowercase, uppercase, mixed case) | | Applicable Platforms | All |
|
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated
