Read Time:54 Second
Description
The wrong “handler” is assigned to process an object.
An example of deploying the wrong handler would be calling a servlet to reveal source code of a .JSP file, or automatically “determining” type of the object even if it is contradictory to an explicitly specified type.
Modes of Introduction:
– Implementation
Related Weaknesses
Consequences
Integrity, Other: Varies by Context, Unexpected State
Potential Mitigations
Phase: Architecture and Design
Description:
Perform a type check before interpreting an object.
Phase: Architecture and Design
Description:
Reject any inconsistent types, such as a file with a .GIF extension that appears to consist of PHP code.
CVE References
- CVE-2001-0004
- Source code disclosure via manipulated file extension that causes parsing by wrong DLL.
- CVE-2002-0025
- Web browser does not properly handle the Content-Type header field, causing a different application to process the document.
- CVE-2000-1052
- Source code disclosure by directly invoking a servlet.
- CVE-2002-1742
- Arbitrary Perl functions can be loaded by calling a non-existent function that activates a handler.