CWE - CWE-348: Use of Less Trusted Source (2.11)

Weakness ID: 348

Abstraction: Base

Status: Draft

Presentation Filter:

Description

Description Summary

The software has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

Time of Introduction

Architecture and Design
Implementation

Applicable Platforms

Languages

All

Common Consequences

Scope	Effect
Access Control	Technical Impact: Bypass protection mechanism; Gain privileges / assume identity An attacker could utilize the untrusted data source to bypass protection mechanisms and gain access to sensitive data.

Demonstrative Examples

Example 1

This code attempts to limit the access of a page to certain IP Addresses. It checks the 'HTTP_X_FORWARDED_FOR' header in case an authorized user is sending the request through a proxy.

(Bad Code)

Example Language: PHP

$requestingIP = '0.0.0.0';

if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {

$requestingIP = $_SERVER['HTTP_X_FORWARDED_FOR'];

else{

$requestingIP = $_SERVER['REMOTE_ADDR'];

}

if(in_array($requestingIP,$ipWhitelist)){

generatePage();

return;

}

else{

echo "You are not authorized to view this page";

return;

}

The 'HTTP_X_FORWARDED_FOR' header can be user controlled and so should never be trusted. An attacker can falsify the header to gain access to the page.

This fixed code only trusts the 'REMOTE_ADDR' header and so avoids the issue:

(Good Code)

Example Language: PHP

$requestingIP = '0.0.0.0';

if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {

echo "This application cannot be accessed through a proxy.";

return;

else{

$requestingIP = $_SERVER['REMOTE_ADDR'];

}

...

Be aware that 'REMOTE_ADDR' can still be spoofed. This may seem useless because the server will send the response to the fake address and not the attacker, but this may still be enough to conduct an attack. For example, if the generatePage() function in this code is resource intensive, an attacker could flood the server with fake requests using an authorized IP and consume significant resources. This could be a serious DoS attack even though the attacker would never see the page's sensitive content.

Observed Examples

Reference	Description
CVE-2001-0860	Product uses IP address provided by a client, instead of obtaining it from the packet headers, allowing easier spoofing.
CVE-2004-1950	Web product uses the IP address in the X-Forwarded-For HTTP header instead of a server variable that uses the connecting IP address, allowing filter bypass.
	Similar to CVE-2004-1950
CVE-2001-0908	Product logs IP address specified by the client instead of obtaining it from the packet headers, allowing information hiding.
CVE-2006-1126	PHP application uses IP address from X-Forwarded-For HTTP header, instead of REMOTE_ADDR.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	345	Insufficient Verification of Data Authenticity	Development Concepts (primary)699 Research Concepts (primary)1000
ChildOf	Category	975	SFP Secondary Cluster: Architecture	Software Fault Pattern (SFP) Clusters (primary)888
MemberOf	View	884	CWE Cross-section	CWE Cross-section (primary)884

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Use of Less Trusted Source

Related Attack Patterns

CAPEC-ID	Attack Pattern Name	(CAPEC Version: 2.10)
CAPEC-141	Cache Poisoning
CAPEC-142	DNS Cache Poisoning
CAPEC-73	User-Controlled Filename
CAPEC-76	Manipulating Web Input to File System Calls
CAPEC-85	AJAX Fingerprinting

Content History

Submissions
Submission Date	Submitter	Organization	Source
	PLOVER		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time_of_Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Relationships, Taxonomy_Mappings
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Common_Consequences
2012-05-11	CWE Content Team	MITRE	Internal
2012-05-11	updated Common_Consequences, Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns, Relationships
2013-07-17	CWE Content Team	MITRE	Internal
2013-07-17	updated Relationships
2014-07-30	CWE Content Team	MITRE	Internal
2014-07-30	updated Relationships
2017-05-03	CWE Content Team	MITRE	Internal
2017-05-03	updated Related_Attack_Patterns


	Use of the Common Weakness Enumeration and the associated references from this website are subject to the Terms of Use. For more information, please email cwe@mitre.org. CWE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2006-2017, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.	Privacy policy Terms of use Contact us

Common Weakness Enumeration

CWE-348: Use of Less Trusted Source