CWE - CWE-827: Improper Control of Document Type Definition (2.4)

Home > CWE List > CWE- Individual Dictionary Definition (2.4)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents
FAQs

Community
SwA On-Ramp
T-Shirt
Discussion List
Discussion Archives
Contact Us

Scoring
CWSS
CWRAF
CWE/SANS Top 25

Compatibility
Requirements
Coverage Claims Representation
Compatible Products
Make a Declaration

News
Calendar
Free Newsletter

Search the Site

CWE-827: Improper Control of Document Type Definition

Improper Control of Document Type Definition

Weakness ID: 827 (Weakness Base)

Status: Incomplete

Description

Description Summary

The software does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the software to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.

Extended Description

As DTDs are processed, they might try to read or include files on the machine performing the parsing. If an attacker is able to control the DTD, then the attacker might be able to specify sensitive resources or requests or provide malicious content.

For example, the SOAP specification prohibits SOAP messages from containing DTDs.

Applicable Platforms

Languages

XML

Architectural Paradigms

Web-based

Common Consequences

Scope	Effect
Confidentiality	Technical Impact: Read files or directories If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system.
Availability	Technical Impact: DoS: resource consumption (CPU); DoS: resource consumption (memory) The DTD may cause the parser to consume excessive CPU cycles or memory using techniques such as nested or recursive entity references (CWE-776).
Integrity Confidentiality Availability Access Control	Technical Impact: Execute unauthorized code or commands; Gain privileges / assume identity The DTD may include arbitrary HTTP requests that the server may execute. This could lead to other attacks leveraging the server's trust relationship with other entities.

Observed Examples

Reference	Description
CVE-2010-2076	Product does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	442	Web Problems	Development Concepts (primary)699
ChildOf	Weakness Class	706	Use of Incorrectly-Resolved Name or Reference	Research Concepts (primary)1000
ChildOf	Weakness Class	829	Inclusion of Functionality from Untrusted Control Sphere	Research Concepts1000
CanPrecede	Weakness Variant	776	Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')	Research Concepts1000

References

Daniel Kulp. "Apache CXF Security Advisory (CVE-2010-2076)". 2010-06-16. <http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization	Source
2010-10-25		MITRE	Internal CWE Team
2010-10-25
Modifications
Modification Date	Modifier	Organization	Source
2011-03-29	CWE Content Team	MITRE	Internal
2011-03-29	updated Relationships
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Common_Consequences
2013-02-21	CWE Content Team	MITRE	Internal
2013-02-21	updated Applicable_Platforms

Page Last Updated: February 20, 2013


	CWE is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2013, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us