CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.1)  
Search by ID:

CWE-610: Externally Controlled Reference to a Resource in Another Sphere

Individual Definition in a New Window
Externally Controlled Reference to a Resource in Another Sphere
Status: Draft
Weakness ID: 610 (Weakness Class)
Description
Summary

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

Extended Description
Other Notes

This is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will "follow" a symbolic link and use the link's target instead.

Cross-zone scripting is an attack on web browsers for which this issue is resultant. CVE-2007-0800 is one example.

Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness ClassWeakness Class664Insufficient Control of a Resource Through its Lifetime
Research Concepts (primary)1000
ChildOfCategoryCategory265Privilege / Sandbox Issues
Development Concepts (primary)699
ParentOfWeakness BaseWeakness BaseWeakness Base15External Control of System or Configuration Setting
Research Concepts (primary)1000
PeerOfWeakness BaseWeakness BaseWeakness Base386Symbolic Name not Mapping to Correct Object
Research Concepts1000
ParentOfWeakness BaseWeakness BaseWeakness Base441Unintended Proxy/Intermediary
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness BaseWeakness Base470Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection')
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness VariantWeakness Variant601URL Redirection to Untrusted Site (aka 'Open Redirect')
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness VariantWeakness Variant611Information Leak Through XML External Entity File Disclosure
Research Concepts1000
ParentOfWeakness ClassWeakness ClassWeakness Class73External Control of File Name or Path
Research Concepts (primary)1000
Taxonomy Mappings
Mapped Taxonomy Name
Anonymous Tool Vendor (under NDA)
Time of Introduction
* Architecture and Design
Content History
Submissions
Anonymous Tool Vendor (under NDA). (Externally Mined)
Modifications
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Relationships, Other_Notes, Taxonomy_Mappings
Previous Entry Names
* Externally Controlled Reference to an Internal Resource (changed 2008-04-11)
Page Last Updated: November 24, 2008