Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-224: Obscured Security-relevant Information by Alternate Name

Weakness ID: 224
Abstraction: Base
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The software records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.
+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms



+ Common Consequences
Access Control

Technical Impact: Hide activities; Gain privileges / assume identity

+ Demonstrative Examples

Example 1

This code prints the contents of a file if a user has permission.

(Bad Code)
Example Language: PHP 
function readFile($filename){
$user = getCurrentUser();
$realFile = $filename;

//resolve file if its a symbolic link
$realFile = readlink($filename);

if(fileowner($realFile) == $user){
echo file_get_contents($realFile);
echo 'Access denied';
writeLog($user . ' attempted to access the file '. $filename . ' on '. date('r'));

While the code logs a bad access attempt, it logs the user supplied name for the file, not the canonicalized file name. An attacker can obscure his target by giving the script the name of a link to the file he is attempting to access. Also note this code contains a race condition between the is_link() and readlink() functions (CWE-363).

+ Observed Examples
Attacker performs malicious actions on a hard link to a file, obscuring the real target file.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class221Information Loss or Omission
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory997SFP Secondary Cluster: Information Loss
Software Fault Pattern (SFP) Clusters (primary)888
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERObscured Security-relevant Information by Alternate Name
+ References
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". 2nd Edition. Microsoft. 2002.
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2011-03-29CWE Content TeamMITREInternal
updated Demonstrative_Examples
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated References, Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Relationships

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017