CWE
Home > CWE List > CWE-178 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-178 Individual Dictionary Definition (Draft 9)

Failure to Resolve Case Sensitivity
Weakness ID
Status: Incomplete

178 (Weakness Base)

Description

Summary

Improperly handled case sensitive data can lead to several possible consequences, including: - case-insensitive passwords reducing the size of the key space, making brute force attacks easier - bypassing filters or access controls using alternate names - multiple interpretation errors using alternate names.

Functional Area

File Processing, Credentials

Affected Resource

File/Directory

Potential Mitigations

Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.

Assume all input is malicious. Use an appropriate combination of black lists and white lists to ensure only valid, expected and appropriate input is processed by the system. For example, valid input may be in the form of an absolute pathname(s). You can also limit pathnames to exist on selected drives, have the format specified to include only separator characters (forward or backward slashes) and alphanumeric characters, and follow a naming convention such as having a maximum of 32 characters followed by a '.' and ending with specified extensions.

Canonicalize the name to match that of the file system's representation of the name. This can sometimes be achieved with an available API (e.g. in Win32 the GetFullPathName function).

Observed Examples
ReferenceDescription
CVE-2000-0497
CVE-2000-0498
CVE-2001-0766
CVE-2001-0795
CVE-2001-1238
CVE-2003-0411
CVE-2002-0485Leads to interpretation error
CVE-1999-0239
CVE-2005-0269
CVE-2004-1083
CVE-2004-2154Overlaps ACL bypass
CVE-2000-0499
CVE-2002-2119Case insensitive passwords lead to search space reduction.
CVE-2004-2214HTTP server allows bypass of access restrictions using URIs with mixed case.
CVE-2004-2154Mixed upper/lowercase allows bypass of ACLs.
CVE-2004-2214Bypass access restrictions using mixed case.
CVE-2005-4509Bypass malicious script detection by using tokens that aren't case sensitive.
CVE-2002-1820Mixed case problem allows "admin" to have "Admin" rights (alternate name property).
CVE-2007-3365Chain: uppercase file extensions causes web server to return script source code instead of executing the script.
Research Gaps

These are probably under-studied in Windows and Mac environments, where file names are case-insensitive and thus are subject to equivalence manipulations involving case.

Relationships
NatureTypeIDName
ChildOfCategoryCategory171Cleansing, Canonicalization, and Comparison Errors
CanPrecedeWeakness VariantWeakness VariantWeakness Variant433Unparsed Raw Web Content Delivery
CanPrecedeWeakness VariantWeakness VariantWeakness Variant289Authentication Bypass by Alternate Name
ChildOfCategoryCategory632Weaknesses that Affect Files or Directories
Source Taxonomies

PLOVER - Case Sensitivity (lowercase, uppercase, mixed case)

Applicable Platforms

All

Page Last Updated: April 21, 2008