DEPRECATED: Failure to Protect Stored Data from Modification
Definition in a New Window
Weakness ID: 217 (Deprecated Weakness Base)
Status: Deprecated
Description
Description Summary
This weakness has been deprecated because it incorporated and
confused multiple weaknesses. The issues formerly covered in this weakness can
be found at CWE-766 and CWE-767.
Content History
Submissions
Submission Date
Submitter
Organization
Source
CLASP
Externally Mined
Modifications
Modification Date
Modifier
Organization
Source
2008-07-01
Eric Dalci
Cigital
External
updated Time of Introduction
2008-09-08
CWE Content Team
MITRE
Internal
updated Common Consequences, Relationships, Other Notes,
Taxonomy Mappings
2009-05-20
CWE Content Team
MITRE
Internal
deprecated this entry in favor of new entries which focus
on the multiple weaknesses formerly described here, CWE-766 and
CWE-767
2009-05-27
CWE Content Team
MITRE
Internal
updated Alternate Terms, Applicable Platforms,
Common Consequences, Demonstrative Examples, Description,
Likelihood of Exploit, Name, Other Notes, Potential Mitigations,
Related Attack Patterns, Relationships, Taxonomy Mappings,
Time of Introduction, Type
DEPRECATED: Improper Sanitization of Custom Special Characters
Definition in a New Window
Weakness ID: 92 (Deprecated Weakness Base)
Status: Deprecated
Description
Description Summary
The software uses a custom or proprietary language or
representation, but when it receives input from an upstream component, it does
not sanitize or incorrectly sanitizes special elements when they are sent to a
downstream component.
Extended Description
This allows attackers to modify the syntax, content, or commands before
they are processed by a downstream component.
Maintenance Notes
This and some other CWE entries were distinct in PLOVER but effectively
have overlap in CWE. PLOVER sometimes defined "other" and "miscellaneous"
categories in order to satisfy exhaustiveness requirements for taxonomies.
Within the context of CWE, the use of a more abstract entry is preferred in
mapping situations.
This weakness has been deprecated because its name and
description did not match. The description duplicated CWE-454, while the name
suggested a more abstract initialization problem. Please refer to CWE-665 for
the more abstract problem.
This entry has been deprecated because of name confusion and an
accidental combination of multiple weaknesses. Most of its content has been
transferred to CWE-785.
Maintenance Notes
This entry was deprecated for several reasons. The primary reason is
over-loading of the "path manipulation" term and the description. The
original description for this entry was the same as that for the "Often
Misused: File System" item in the original Seven Pernicious Kingdoms paper.
However, Seven Pernicious Kingdoms also has a "Path Manipulation" phrase
that is for external control of pathnames (CWE-73), which is a factor in
symbolic link following and path traversal, neither of which is explicitly
mentioned in 7PK. Fortify uses the phrase "Often Misused: Path Manipulation"
for a broader range of problems, generally for issues related to buffer
management. Given the multiple conflicting uses of this term, there is a
chance that CWE users may have incorrectly mapped to this entry.
The second reason for deprecation is an implied combination of multiple
weaknesses within buffer-handling functions. The focus of this entry has
generally been on the path-conversion functions and their association with
buffer overflows. However, some of Fortify's Vulncat entries have the term
"path manipulation" but describe a non-overflow weakness in which the buffer
is not guaranteed to contain the entire pathname, i.e., there is information
truncation (see CWE-222 for a similar concept). A new entry for this
non-overflow weakness may be created in a future version of CWE.
Content History
Submissions
Submission Date
Submitter
Organization
Source
7 Pernicious Kingdoms
Externally Mined
Modifications
Modification Date
Modifier
Organization
Source
2008-07-01
Eric Dalci
Cigital
External
updated Time of Introduction
2008-08-01
KDM Analytics
External
added/updated white box definitions
2008-09-08
CWE Content Team
MITRE
Internal
updated Applicable Platforms, Relationships, Other Notes,
Taxonomy Mappings
2009-05-27
CWE Content Team
MITRE
Internal
updated Demonstrative Examples
2009-07-17
(Critical)
KDM Analytics
External
Described inconsistencies in this entry, which the CWE
Content Team had already slated for deprecation.
2009-07-27
CWE Content Team
MITRE
Internal
updated Affected Resources, Applicable Platforms,
Demonstrative Examples, Description, Maintenance Notes, Name, Other Notes,
Potential Mitigations, Relationships, Taxonomy Mappings,
Time of Introduction, Type, White Box Definitions
