CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.6)  

CWE-625: Permissive Regular Expression

 
Permissive Regular Expression
Weakness ID: 625 (Weakness Base)Status: Draft
+ Description

Description Summary

The product uses a regular expression that does not sufficiently restrict the set of allowed values.

Extended Description

This effectively causes the regexp to accept substrings that match the pattern, which produces a partial comparison to the target. In some cases, this can lead to other weaknesses. Common errors include:

not identifying the beginning and end of the target string

using wildcards instead of acceptable character ranges

others

+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

Perl

PHP

+ Demonstrative Examples

Example 1

(Bad Code)
Perl
$phone = GetPhoneNumber();
if ($phone =~ /\d+-\d+/) {
# looks like it only has hyphens and digits
system("lookup-phone $phone");
}
else {
error("malformed number!");
}

An attacker could provide an argument such as: "; ls -l ; echo 123-456" This would pass the check, since "123-456" is sufficient to match the "\d+-\d+" portion of the regular expression.

+ Observed Examples
ReferenceDescription
CVE-2006-1895".*" regexp leads to static code injection
CVE-2002-2175insertion of username into regexp results in partial comparison, causing wrong database entry to be updated when one username is a substring of another.
CVE-2006-4527regexp intended to verify that all characters are legal, only checks that at least one is legal, enabling file inclusion.
CVE-2005-1949Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters.
CVE-2002-2109Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings.
CVE-2006-6511regexp in .htaccess file allows access of files whose names contain certain substrings
CVE-2006-6629allow load of macro files whose names contain certain substrings.
VIM Mailing list, March 14, 2006
+ Potential Mitigations
PhaseDescription

When applicable, ensure that your regular expression marks beginning and ending string patterns, such as "/^string$/" for Perl.

+ Other Notes

This problem is frequently found when the regular expression is used in input validation or security features such as authentication.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
PeerOfWeakness BaseWeakness Base183Permissive Whitelist
Research Concepts1000
PeerOfWeakness BaseWeakness Base184Incomplete Blacklist
Research Concepts1000
ChildOfWeakness ClassWeakness Class185Incorrect Regular Expression
Development Concepts (primary)699
Research Concepts (primary)1000
PeerOfWeakness BaseWeakness Base187Partial Comparison
Research Concepts1000
ParentOfWeakness VariantWeakness Variant777Regular Expression without Anchors
Development Concepts (primary)699
Research Concepts (primary)1000
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable Platforms, Description, Relationships, Observed Example, Other Notes, Weakness Ordinalities
2009-03-10CWE Content TeamMITREInternal
updated Description
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative Examples
2009-07-27CWE Content TeamMITREInternal
updated Relationships
Back to top
Page Last Updated: October 29, 2009
 

CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us