CWE
CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.1)  

CWE-185: Incorrect Regular Expression

 
Incorrect Regular Expression
Weakness ID: 185 (Weakness Class)Status: Draft
+ Description

Description Summary

The software specifies a regular expression in a way that causes data to be improperly matched or compared.

Extended Description

When the regular expression is used in protection mechanisms such as filtering or validation, this may allow an attacker to bypass the intended restrictions on the incoming data.

+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Access Control

Technical Impact: Bypass protection mechanism

In PHP, regular expression checks can sometimes be bypassed with a null byte, leading to any number of weaknesses.

+ Observed Examples
ReferenceDescription
CVE-2002-2109Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings.
CVE-2005-1949Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters.
CVE-2001-1072Bypass access restrictions via multiple leading slash, which causes a regular expression to fail.
CVE-2000-0115Local user DoS via invalid regular expressions.
CVE-2002-1527chain: Malformed input generates a regular expression error that leads to information exposure.
CVE-2005-1061Certain strings are later used in a regexp, leading to a resultant crash.
CVE-2005-2169MFV. Regular expression intended to protect against directory traversal reduces ".../...//" to "../".
CVE-2005-0603Malformed regexp syntax leads to information exposure in error message.
CVE-2005-1820Code injection due to improper quoting of regular expression.
CVE-2005-3153Null byte bypasses PHP regexp check.
CVE-2005-4155Null byte bypasses PHP regexp check.
+ Potential Mitigations

Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplifies one large regular expression. Also, subject your regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved a regular expression may not be full proof. If an exploit is allowed to slip through, then record the exploit and refactor your regular expression.

+ Other Notes

Keywords: regexp

This can seem to overlap whitelist/blacklist problems, but it is intended to deal with improperly written regular expressions, regardless of the values that those regular expressions use. While whitelists and blacklists are often implemented using regular expressions, they can be implemented using other mechanisms as well.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory171Cleansing, Canonicalization, and Comparison Errors
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class697Insufficient Comparison
Research Concepts (primary)1000
CanPrecedeWeakness BaseWeakness Base182Collapse of Data into Unsafe Value
Research Concepts1000
CanPrecedeWeakness BaseWeakness Base187Partial Comparison
Research Concepts1000
ParentOfWeakness BaseWeakness Base186Overly Restrictive Regular Expression
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base625Permissive Regular Expression
Development Concepts (primary)699
Research Concepts (primary)1000
+ Research Gaps

Regexp errors are likely a primary factor in many MFVs, especially those that require multiple manipulations to exploit. However, they are rarely diagnosed at this level of detail.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERRegular Expression Error
+ References
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 10, "Using Regular Expressions for Checking Input" Page 350. 2nd Edition. Microsoft. 2002.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Name, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings
2009-12-28CWE Content TeamMITREInternal
updated Common_Consequences, Other_Notes
2010-02-16CWE Content TeamMITREInternal
updated References
2010-04-05CWE Content TeamMITREInternal
updated Description
2011-03-29CWE Content TeamMITREInternal
updated Observed_Examples
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
Previous Entry Names
Change DatePrevious Entry Name
2008-09-09Regular Expression Error
Page Last Updated: September 12, 2011