Category Archives: CWE

CWE-93 – Improper Neutralization of CRLF Sequences (‘CRLF Injection’)

Read Time:51 Second

Description

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-74
CWE-117

 

Consequences

Integrity: Modify Application Data

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Avoid using CRLF as a special sequence.

Phase: Implementation

Effectiveness:

Description: 

Appropriately filter or quote CRLF sequences in user-controlled input.

CVE References

 

  • CVE-2002-1771
    • CRLF injection enables spam proxy (add mail headers) using email address or name.
  • CVE-2002-1783
    • CRLF injection in API function arguments modify headers for outgoing requests.
  • CVE-2004-1513
    • Spoofed entries in web server log file via carriage returns
  • CVE-2006-4624
    • Chain: inject fake log entries with fake timestamps using CRLF injection
  • CVE-2005-1951
    • Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.
  • CVE-2004-1687
    • Chain: HTTP response splitting via CRLF in parameter related to URL.

CWE-939 – Improper Authorization in Handler for Custom URL Scheme

Read Time:47 Second

Description

The software uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.

Mobile platforms and other architectures allow the use of custom URL schemes to facilitate communication between applications. In the case of iOS, this is the only method to do inter-application communication. The implementation is at the developer’s discretion which may open security flaws in the application. An example could be potentially dangerous functionality such as modifying files through a custom URL scheme.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-862

 

Consequences

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

CVE References

 

  • CVE-2013-5725
    • URL scheme has action replace which requires no user prompt and allows remote attackers to perform undesired actions.
  • CVE-2013-5726
    • URL scheme has action follow and favorite which allows remote attackers to force user to perform undesired actions.

CWE-836 – Use of Password Hash Instead of Password for Authentication

Read Time:37 Second

Description

The software records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-287
CWE-602

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

An attacker could bypass the authentication routine without knowing the original password.

 

Potential Mitigations

CVE References

 

  • CVE-2009-1283
    • Product performs authentication with user-supplied password hashes that can be obtained from a separate SQL injection vulnerability (CVE-2009-1282).
  • CVE-2005-3435
    • Product allows attackers to bypass authentication by obtaining the password hash for another user and specifying the hash in the pwd argument.

CWE-837 – Improper Enforcement of a Single, Unique Action

Read Time:1 Minute, 26 Second

Description

The software requires that an actor should only be able to perform an action once, or to have only one unique action, but the software does not enforce or improperly enforces this restriction.

In various applications, a user is only expected to perform a certain action once, such as voting, requesting a refund, or making a purchase. When this restriction is not enforced, sometimes this can have security implications. For example, in a voting application, an attacker could attempt to “stuff the ballot box” by voting multiple times. If these votes are counted separately, then the attacker could directly affect who wins the vote. This could have significant business impact depending on the purpose of the software.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-799

 

Consequences

Other:

An attacker might be able to gain advantage over other users by performing the action multiple times, or affect the correctness of the software.

 

Potential Mitigations

CVE References

 

  • CVE-2008-0294
    • Ticket-booking web application allows a user to lock a seat more than once.
  • CVE-2005-4051
    • CMS allows people to rate downloads by voting more than once.
  • CVE-2002-216
    • Polling software allows people to vote more than once by setting a cookie.
  • CVE-2003-1433
    • Chain: lack of validation of a challenge key in a game allows a player to register multiple times and lock other players out of the game.
  • CVE-2002-1018
    • Library feature allows attackers to check out the same e-book multiple times, preventing other users from accessing copies of the e-book.
  • CVE-2009-2346
    • Protocol implementation allows remote attackers to cause a denial of service (call-number exhaustion) by initiating many message exchanges.

CWE-838 – Inappropriate Encoding for Output Context

Read Time:1 Minute, 6 Second

Description

The software uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-116
CWE-116

 

Consequences

Integrity, Confidentiality, Availability: Modify Application Data, Execute Unauthorized Code or Commands

An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Use context-aware encoding. That is, understand which encoding is being used by the downstream component, and ensure that this encoding is used. If an encoding can be specified, do so, instead of assuming that the default encoding is the same as the default being assumed by the downstream component.

Phase: Architecture and Design

Effectiveness:

Description: 

Where possible, use communications protocols or data formats that provide strict boundaries between control and data. If this is not feasible, ensure that the protocols or formats allow the communicating components to explicitly state which encoding/decoding method is being used. Some template frameworks provide built-in support.

Phase: Architecture and Design

Effectiveness:

Description: 

CVE References

 

  • CVE-2009-2814
    • Server does not properly handle requests that do not contain UTF-8 data; browser assumes UTF-8, allowing XSS.

CWE-839 – Numeric Range Comparison Without Minimum Check

Read Time:1 Minute, 58 Second

Description

The program checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-1023
CWE-195
CWE-682
CWE-119
CWE-124

 

Consequences

Integrity, Confidentiality, Availability: Modify Application Data, Execute Unauthorized Code or Commands

An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.

Availability: DoS: Resource Consumption (Other)

in some contexts, a negative value could lead to resource consumption.

Confidentiality, Integrity: Modify Memory, Read Memory

If a negative value is used to access memory, buffers, or other indexable structures, it could access memory outside the bounds of the buffer.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

If the number to be used is always expected to be positive, change the variable type from signed to unsigned or size_t.

Phase: Implementation

Effectiveness:

Description: 

If the number to be used could have a negative value based on the specification (thus requiring a signed value), but the number should only be positive to preserve code correctness, then include a check to ensure that the value is positive.

CVE References

 

  • CVE-2010-1866
    • Chain: integer overflow causes a negative signed value, which later bypasses a maximum-only check, leading to heap-based buffer overflow.
  • CVE-2009-1099
    • Chain: 16-bit counter can be interpreted as a negative value, compared to a 32-bit maximum value, leading to buffer under-write.
  • CVE-2011-0521
    • Chain: kernel’s lack of a check for a negative value leads to memory corruption.
  • CVE-2010-3704
    • Chain: parser uses atoi() but does not check for a negative value, which can happen on some platforms, leading to buffer under-write.
  • CVE-2010-2530
    • Chain: Negative value stored in an int bypasses a size check and causes allocation of large amounts of memory.
  • CVE-2009-3080
    • Chain: negative offset value to IOCTL bypasses check for maximum index, then used as an array index for buffer under-read.
  • CVE-2008-6393
    • chain: file transfer client performs signed comparison, leading to integer overflow and heap-based buffer overflow.
  • CVE-2008-4558
    • chain: negative ID in media player bypasses check for maximum index, then used as an array index for buffer under-read.

CWE-84 – Improper Neutralization of Encoded URI Schemes in a Web Page

Read Time:2 Minute, 8 Second

Description

The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-79

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Resolve all URIs to absolute or canonical representations before processing.

Phase: Implementation

Effectiveness:

Description: 

Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

With Struts, write all data from form beans with the bean’s filter attribute set to true.

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

To help mitigate XSS attacks against the user’s session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user’s session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CVE References

 

  • CVE-2005-0563
    • Cross-site scripting (XSS) vulnerability in Microsoft Outlook Web Access (OWA) component in Exchange Server 5.5 allows remote attackers to inject arbitrary web script or HTML via an email message with an encoded javascript: URL (“jav&#X41sc ript:”) in an IMG tag.
  • CVE-2005-2276
    • Cross-site scripting (XSS) vulnerability in Novell Groupwise WebAccess 6.5 before July 11, 2005 allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an encoded javascript URI (e.g. “j&#X41vascript” in an IMG tag).

CWE-841 – Improper Enforcement of Behavioral Workflow

Read Time:1 Minute, 19 Second

Description

The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-691

 

Consequences

Other: Alter Execution Logic

An attacker could cause the software to skip critical steps or perform them in the wrong order, bypassing its intended business logic. This can sometimes have security implications.

 

Potential Mitigations

CVE References

 

  • CVE-2011-0348
    • Bypass of access/billing restrictions by sending traffic to an unrestricted destination before sending to a restricted destination.
  • CVE-2007-3012
    • Attacker can access portions of a restricted page by canceling out of a dialog.
  • CVE-2009-5056
    • Ticket-tracking system does not enforce a permission setting.
  • CVE-2004-2164
    • Shopping cart does not close a database connection when user restores a previous order, leading to connection exhaustion.
  • CVE-2003-0777
    • Chain: product does not properly handle dropped connections, leading to missing NULL terminator (CWE-170) and segmentation fault.
  • CVE-2005-3327
    • Chain: Authentication bypass by skipping the first startup step as required by the protocol.
  • CVE-2004-0829
    • Chain: File server crashes when sent a “find next” request without an initial “find first.”
  • CVE-2010-2620
    • FTP server allows remote attackers to bypass authentication by sending (1) LIST, (2) RETR, (3) STOR, or other commands without performing the required login steps first.
  • CVE-2005-3296
    • FTP server allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.

CWE-842 – Placement of User into Incorrect Group

Read Time:56 Second

Description

The software or the administrator places a user into an incorrect group.

If the incorrect group has more access or privileges than the intended group, the user might be able to bypass intended security policy to access unexpected resources or perform unexpected actions. The access-control system might not be able to detect malicious usage of this group membership.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-286

 

Consequences

Access Control: Gain Privileges or Assume Identity

 

Potential Mitigations

CVE References

 

  • CVE-1999-1193
    • Operating system assigns user to privileged wheel group, allowing the user to gain root privileges.
  • CVE-2010-3716
    • Chain: drafted web request allows the creation of users with arbitrary group membership.
  • CVE-2008-5397
    • Chain: improper processing of configuration options causes users to contain unintended group memberships.
  • CVE-2007-6644
    • CMS does not prevent remote administrators from promoting other users to the administrator group, in violation of the intended security model.
  • CVE-2007-3260
    • Product assigns members to the root group, allowing escalation of privileges.
  • CVE-2002-0080
    • Chain: daemon does not properly clear groups before dropping privileges.

CWE-843 – Access of Resource Using Incompatible Type (‘Type Confusion’)

Read Time:54 Second

Description

The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-704
CWE-704
CWE-119

 

Consequences

Availability, Integrity, Confidentiality: Read Memory, Modify Memory, Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart

When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution.

 

Potential Mitigations

CVE References

 

  • CVE-2010-4577
    • Type confusion in CSS sequence leads to out-of-bounds read.
  • CVE-2011-0611
    • Size inconsistency allows code execution, first discovered when it was actively exploited in-the-wild.
  • CVE-2010-0258
    • Improperly-parsed file containing records of different types leads to code execution when a memory location is interpreted as a different object than intended.