Determine the size and type of files that users are expected to upload
to your system. Take measures to assure that the files meet those
requirements.
Other Notes
This can have a chaining relationship with incomplete blacklist /
permissive whitelist errors when the product tries, but fails, to properly
limit which types of files are allowed.
This can also overlap multiple interpretation errors for intermediaries,
e.g. anti-virus products that do not filter attachments with certain file
extensions that can be processed by client systems.
This can be primary when there is no check at all. If is frequently
resultant when use of double extensions (e.g. ".php.gif") bypass sanity
checks. Also resultant from client-side enforcement; some products will
include web script in web clients to check the filename, without verifying
on the server side.
PHP applications are most targeted, but this likely applies to other
languages that support file upload, as well as non-web technologies. ASP
applications have also demonstrated this problem.
Product does not compare all required data in two
separate elements, causing it to think they are the same, leading to loss of
ACLs. Similar to Same Name error.
Product A handles inputs or steps differently than Product B,
which causes A to perform incorrect actions based on its perception of B's
state.
Extended Description
This is generally found in proxies, firewalls, anti-virus software, and
other intermediary devices that allow, deny, or modify traffic based on how
the client or server is expected to behave.
FTP clients sending a command with "PASV" in the
argument can cause firewalls to misinterpret the server's error as a valid
response, allowing filter bypass.
FTP clients sending a command with "PASV" in the
argument can cause firewalls to misinterpret the server's error as a valid
response, allowing filter bypass.
Interpretation conflict (non-standard behavior)
enables XSS because browser ignores invalid characters in the middle of
tags.
Other Notes
The classic multiple interpretation flaws were reported in a paper that
described the limitations of intrusion detection systems. Ptacek and Newsham
(see references below) showed that OSes varied widely in their behavior with
respect to unusual network traffic, which made it difficult or impossible
for intrusion detection systems to properly detect certain attacker
manipulations that took advantage of the OS differences. Another classic
multiple interpretation error is the "poison null byte" described by Rain
Forest Puppy (see reference below), in which null characters have different
interpretations in Perl and C, which have security consequences when Perl
invokes C functions. Similar problems have been reported in ASP (see ASP
reference below) and PHP. Some of the more complex web-based attacks, such
as HTTP request smuggling, also involve multiple interpretation
errors.
A comment on a way to manage these problems is in David Skoll in the
reference below.
Manipulations are major factors in multiple interpretation errors, such as
doubling, inconsistencies between related fields, and whitespace.
Description
