CWE
CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.1)  

CWE-393: Return of Wrong Status Code

 
Return of Wrong Status Code
Weakness ID: 393 (Weakness Base)Status: Draft
+ Description

Description Summary

A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.

Extended Description

This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the wrong status code can cause the software to assume that an action is safe, even when it is not.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Integrity
Other

Technical Impact: Unexpected state; Alter execution logic

+ Demonstrative Examples

Example 1

In the following example, an HTTP 404 status code is returned in the event of an IOException encountered in a Java servlet. A 404 code is typically meant to indicate a non-existent resource and would be somewhat misleading in this case.

(Bad Code)
Example Language: Java 
try {
// something that might throw IOException
...
} catch (IOException ioe) {
response.sendError(SC_NOT_FOUND);
}
+ Observed Examples
ReferenceDescription
CVE-2003-1132DNS server returns wrong response code for non-existent AAAA record, which effectively says that the domain is inaccessible.
CVE-2001-1509Hardware-specific implementation of system call causes incorrect results from geteuid.
CVE-2001-1559System call returns wrong value, leading to a resultant NULL dereference.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory389Error Conditions, Return Values, Status Codes
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base684Incorrect Provision of Specified Functionality
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class703Improper Check or Handling of Exceptional Conditions
Research Concepts1000
+ Relationship Notes

This can be primary or resultant, but it is probably most often primary to other issues.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERWrong Status Code
+ Maintenance Notes

This probably overlaps various categories, especially those related to error handling.

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Maintenance_Notes, Relationships, Other_Notes, Taxonomy_Mappings
2008-10-14CWE Content TeamMITREInternal
updated Description
2009-03-10CWE Content TeamMITREInternal
updated Relationships
2010-02-16CWE Content TeamMITREInternal
updated Other_Notes, Relationship_Notes
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Wrong Status Code
Back to top
Page Last Updated: September 12, 2011
 

CWE is a Software Assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2012, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us