CWE-794: Incomplete Filtering of Multiple Instances of Special Elements
Weakness ID: 794
Abstraction: Variant
Status: Incomplete
Presentation Filter:
Description
Description Summary
The software receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.
Extended Description
Incomplete filtering of this nature may be applied to
sequential elements (special elements that appear next to each other) or
non-sequential elements (special elements that appear multiple times in different locations).
Common Consequences
Scope
Effect
Integrity
Technical Impact: Unexpected state
Demonstrative Examples
Example 1
The following code takes untrusted input and uses a regular
expression to filter "../" from the input. It then appends this result to
the /home/user/ directory and attempts to read the file in the final
resulting path.
(Bad Code)
Example
Language: Perl
my $Username = GetUntrustedInput();
$Username =~ s/\.\.\///;
my $filename = "/home/user/" . $Username;
ReadAndSendFile($filename);
Since the regular expression does not have the /g global match
modifier, it only removes the first instance of "../" it comes across.
So an input value such as:
(Attack)
../../../etc/passwd
will have the first "../" stripped, resulting in:
(Result)
../../etc/passwd
This value is then concatenated with the /home/user/ directory:
(Result)
/home/user/../../etc/passwd
which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23).
More information is available — Please select a different filter.
Page Last Updated:
May 05, 2017
Use of the Common Weakness Enumeration and the associated references from this website are subject to the
Terms of Use. For more information, please email
cwe@mitre.org.
Description
