CWE-430 – Deployment of Wrong Handler

Read Time:54 Second

Description

The wrong “handler” is assigned to process an object.

An example of deploying the wrong handler would be calling a servlet to reveal source code of a .JSP file, or automatically “determining” type of the object even if it is contradictory to an explicitly specified type.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-691
CWE-433
CWE-434

 

Consequences

Integrity, Other: Varies by Context, Unexpected State

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Perform a type check before interpreting an object.

Phase: Architecture and Design

Description: 

Reject any inconsistent types, such as a file with a .GIF extension that appears to consist of PHP code.

CVE References

  • CVE-2001-0004
    • Source code disclosure via manipulated file extension that causes parsing by wrong DLL.
  • CVE-2002-0025
    • Web browser does not properly handle the Content-Type header field, causing a different application to process the document.
  • CVE-2000-1052
    • Source code disclosure by directly invoking a servlet.
  • CVE-2002-1742
    • Arbitrary Perl functions can be loaded by calling a non-existent function that activates a handler.