Description
The software validates data before it has been filtered, which prevents the software from detecting data that becomes invalid after the filtering step.
This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.
Modes of Introduction:
– Implementation
Related Weaknesses
CWE-179
Consequences
Access Control: Bypass Protection Mechanism
Potential Mitigations
Phase: Implementation, Architecture and Design
Description:
Inputs should be decoded and canonicalized to the application’s current internal representation before being filtered.
CVE References
- CVE-2002-0934
- Directory traversal vulnerability allows remote attackers to read or modify arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a “..” sequence.
- CVE-2003-0282
- Directory traversal vulnerability allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a “..” sequence.
