Tag Archives: Observable Response Discrepancy

CWE

CWE-204 – Observable Response Discrepancy

Read Time:1 Minute, 49 Second

Description

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

This issue frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. These exposures can be inadvertent (bug) or intentional (design).

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-203

 

Consequences

Confidentiality, Access Control: Read Application Data, Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Implementation

Description: 

CVE References

  • CVE-2002-2094
    • This, and others, use “..” attacks and monitor error responses, so there is overlap with directory traversal.
  • CVE-2001-1483
    • Enumeration of valid usernames based on inconsistent responses
  • CVE-2001-1528
    • Account number enumeration via inconsistent responses.
  • CVE-2004-2150
    • User enumeration via discrepancies in error messages.
  • CVE-2005-1650
    • User enumeration via discrepancies in error messages.
  • CVE-2004-0294
    • Bulletin Board displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack.
  • CVE-2004-0243
    • Operating System, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods.
  • CVE-2002-0514
    • Product allows remote attackers to determine if a port is being filtered because the response packet TTL is different than the default TTL.
  • CVE-2002-0515
    • Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs.
  • CVE-2001-1387
    • Product may generate different responses than specified by the administrator, possibly leading to an information leak.
  • CVE-2004-0778
    • Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned.
  • CVE-2004-1428
    • FTP server generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames.