Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-348: Use of Less Trusted Source

Weakness ID: 348
Abstraction: Base
Status: Draft
Presentation Filter:
+ Description

Description Summary

The software has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



+ Common Consequences
Access Control

Technical Impact: Bypass protection mechanism; Gain privileges / assume identity

An attacker could utilize the untrusted data source to bypass protection mechanisms and gain access to sensitive data.

+ Demonstrative Examples

Example 1

This code attempts to limit the access of a page to certain IP Addresses. It checks the 'HTTP_X_FORWARDED_FOR' header in case an authorized user is sending the request through a proxy.

(Bad Code)
Example Language: PHP 
$requestingIP = '';
if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {
$requestingIP = $_SERVER['REMOTE_ADDR'];

echo "You are not authorized to view this page";

The 'HTTP_X_FORWARDED_FOR' header can be user controlled and so should never be trusted. An attacker can falsify the header to gain access to the page.

This fixed code only trusts the 'REMOTE_ADDR' header and so avoids the issue:

(Good Code)
Example Language: PHP 
$requestingIP = '';
if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {
echo "This application cannot be accessed through a proxy.";
$requestingIP = $_SERVER['REMOTE_ADDR'];

Be aware that 'REMOTE_ADDR' can still be spoofed. This may seem useless because the server will send the response to the fake address and not the attacker, but this may still be enough to conduct an attack. For example, if the generatePage() function in this code is resource intensive, an attacker could flood the server with fake requests using an authorized IP and consume significant resources. This could be a serious DoS attack even though the attacker would never see the page's sensitive content.

+ Observed Examples
Product uses IP address provided by a client, instead of obtaining it from the packet headers, allowing easier spoofing.
Web product uses the IP address in the X-Forwarded-For HTTP header instead of a server variable that uses the connecting IP address, allowing filter bypass.
Similar to CVE-2004-1950
Product logs IP address specified by the client instead of obtaining it from the packet headers, allowing information hiding.
PHP application uses IP address from X-Forwarded-For HTTP header, instead of REMOTE_ADDR.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class345Insufficient Verification of Data Authenticity
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory975SFP Secondary Cluster: Architecture
Software Fault Pattern (SFP) Clusters (primary)888
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERUse of Less Trusted Source
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Common_Consequences, Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns, Relationships
2013-07-17CWE Content TeamMITREInternal
updated Relationships
2014-07-30CWE Content TeamMITREInternal
updated Relationships
2017-05-03CWE Content TeamMITREInternal
updated Related_Attack_Patterns

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017