CWE - CWE-92: Custom Special Character Injection (Draft 9)

Home > CWE List > CWE-92 Individual Dictionary Definition (Draft 9)

CWE List
Full Dictionary View
Classification Tree
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

Section Contents
CWE List
Full Dictionary View
Classification Tree
Reports
Other Items of Interest
Sources

Key
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated

CWE-92 Individual Dictionary Definition (Draft 9)

Weakness ID

Status: Incomplete

92 (Weakness Base)

Description

Summary

The software does not properly filter or quote special characters or reserved words that are used in a custom or proprietary language or representation that is used by the product, allowing attackers to modify the syntax, content, or commands before they are processed by an end system.

Weakness Ordinality

Primary (Weakness exists independent of other weaknesses)

Causal Nature

Explicit (This is an explicit weakness resulting from behavior of the developer)

Potential Mitigations

Assume all input is malicious. Use an appropriate combination of black lists and white lists to appropriately filter or quote custom special characters or reserved words in user-controlled input.

Observed Examples

Reference	Description
CVE-2001-0677	Read arbitrary files from mail client by providing a special MIME header that is internally used to store pathnames for attachments.
CVE-2000-0703	Setuid program does not cleanse special escape sequence before sending data to a mail program, causing the mail program to process those sequences
CVE-2003-0020	Multi-channel issue. Terminal escape sequences not filtered from log files.
CVE-2003-0083	Multi-channel issue. Terminal escape sequences not filtered from log files.

Context Notes

Factors: can be primary to interaction errors.

Research Gaps

Under-studied. It is likely that these issues are fairly common in applications that use their own custom format for configuration files, logs, meta-data, messaging, etc. They would only be found by accident or with a focused effort based on an understanding of the format.

Relationships

Nature	Type	ID	Name
ChildOf	Weakness Class	74	Failure to Sanitize Data into a Different Plane (aka 'Injection')

Source Taxonomies

PLOVER - Custom Special Character Injection

Applicable Platforms

All

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
81	Web Logs Tampering
93	Log Injection-Tampering-Forging

Page Last Updated: April 22, 2008


	CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us