Description

The software performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.

For example, an attacker might succeed in authentication by providing a small password that matches the associated portion of the larger, correct password.

Modes of Introduction:

– Implementation

Related Weaknesses

CWE-1023

Consequences

Integrity, Access Control: Alter Execution Logic, Bypass Protection Mechanism

Potential Mitigations

Phase: Testing

Description: 

Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.

CVE References

• CVE-2014-6394
  • Product does not prevent access to restricted directories due to partial string comparison with a public directory

• CVE-2004-1012
  • Argument parser of an IMAP server treats a partial command “body[p” as if it is “body.peek”, leading to index error and out-of-bounds corruption.

• CVE-2004-0765
  • Web browser only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN), which allows remote attackers to spoof trusted certificates.

• CVE-2002-1374
  • One-character password by attacker checks only against first character of real password.

• CVE-2000-0979
  • One-character password by attacker checks only against first character of real password.