CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.10)  
ID

CWE-224: Obscured Security-relevant Information by Alternate Name

Weakness ID: 224
Abstraction: Base
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The software records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.
+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Non-Repudiation
Access Control

Technical Impact: Hide activities; Gain privileges / assume identity

+ Demonstrative Examples

Example 1

This code prints the contents of a file if a user has permission.

(Bad Code)
Example Language: PHP 
function readFile($filename){
$user = getCurrentUser();
$realFile = $filename;

//resolve file if its a symbolic link
if(is_link($filename)){
$realFile = readlink($filename);
}

if(fileowner($realFile) == $user){
echo file_get_contents($realFile);
return;
}
else{
echo 'Access denied';
writeLog($user . ' attempted to access the file '. $filename . ' on '. date('r'));
}
}

While the code logs a bad access attempt, it logs the user supplied name for the file, not the canonicalized file name. An attacker can obscure his target by giving the script the name of a link to the file he is attempting to access. Also note this code contains a race condition between the is_link() and readlink() functions (CWE-363).

+ Observed Examples
ReferenceDescription
Attacker performs malicious actions on a hard link to a file, obscuring the real target file.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class221Information Loss or Omission
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory997SFP Secondary Cluster: Information Loss
Software Fault Pattern (SFP) Clusters (primary)888
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERObscured Security-relevant Information by Alternate Name
+ References
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". 2nd Edition. Microsoft. 2002.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2011-03-29CWE Content TeamMITREInternal
updated Demonstrative_Examples
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated References, Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Relationships

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017