CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-646: Reliance on File Name or Extension of Externally-Supplied File

Weakness ID: 646
Abstraction: Variant
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The software allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.

Extended Description

An application might use the file name or extension of of a user-supplied file to determine the proper course of action, such as selecting the correct process to which control should be passed, deciding what data should be made available, or what resources should be allocated. If the attacker can cause the code to misclassify the supplied file, then the wrong action could occur. For example, an attacker could supply a file that ends in a ".php.gif" extension that appears to be a GIF image, but would be processed as PHP code. In extreme cases, code execution is possible, but the attacker could also cause exhaustion of resources, denial of service, exposure of debug or system data (including application source code), or being bound to a particular server side process. This weakness may be due to a vulnerability in any of the technologies used by the web and application servers, due to misconfiguration, or resultant from another flaw in the application itself.

+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms

Languages

Language-independent

+ Common Consequences
ScopeEffect
Confidentiality

Technical Impact: Read application data

An attacker may be able to read sensitive data.

Availability

Technical Impact: DoS: crash / exit / restart

An attacker may be able to cause a denial of service.

Access Control

Technical Impact: Gain privileges / assume identity

An attacker may be able to gain privileges.

+ Likelihood of Exploit

High

+ Enabling Factors for Exploitation

There is reliance on file name and/or file extension on the server side for processing.

+ Potential Mitigations

Phase: Architecture and Design

Make decisions on the server side based on file content and not on file name or extension.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class345Insufficient Verification of Data Authenticity
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory442Web Problems
Development Concepts699
ChildOfCategoryCategory990SFP Secondary Cluster: Tainted Input to Command
Software Fault Pattern (SFP) Clusters (primary)888
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2008-01-30Evgeny LebanidzeCigitalExternal Submission
Modifications
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Observed_Example
2008-10-13CWE Content TeamMITREInternal
Significant clarification of the weakness description.
2008-10-14CWE Content TeamMITREInternal
updated Description, Name, Observed_Examples, Relationships
2009-07-27CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2009-10-29CWE Content TeamMITREInternal
updated Common_Consequences
2010-12-13CWE Content TeamMITREInternal
updated Applicable_Platforms, Common_Consequences
2011-03-29CWE Content TeamMITREInternal
updated Common_Consequences, Description
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-10-14Taking Actions based on File Name or Extension of a User Supplied File

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017