CWE-105: Struts: Form Field Without Validator

Description

The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

Omitting validation for even a single input field may give attackers the leeway they need to compromise the product. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

Example Vulnerable Codes

Example - 1

In the following example the Java class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.


// // private variables for registration form// 
super();
// // getter and setter methods for private variables// 
private String name;private String address;private String city;private String state;private String zipcode;private String phone;private String email;public RegistrationForm() {}...public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {}

The validator XML file, validator.xml, provides the validation for the form fields of the RegistrationForm.

<arg position="0" key="prompt.name"/>
<arg position="0" key="prompt.address"/>
<arg position="0" key="prompt.city"/>


<var-name>mask</var-name><var-value>[a-zA-Z]{2}</var-value><arg position="0" key="prompt.state"/><var></var>


<var-name>mask</var-name><var-value>\d{5}</var-value><arg position="0" key="prompt.zipcode"/><var></var><field property="name" depends="required"></field><field property="address" depends="required"></field><field property="city" depends="required"></field><field property="state" depends="required,mask"></field><field property="zipcode" depends="required,mask"></field><form name="RegistrationForm"></form><formset></formset><form-validation></form-validation>

However, in the previous example the validator XML file, validator.xml, does not provide validators for all of the form fields in the RegistrationForm. Validator forms are only provided for the first five of the seven form fields. The validator XML file should contain validator forms for all of the form fields for a Struts ActionForm bean. The following validator.xml file for the RegistrationForm class contains validator forms for all of the form fields.

<arg position="0" key="prompt.name"/>
<arg position="0" key="prompt.address"/>
<arg position="0" key="prompt.city"/>


<var-name>mask</var-name><var-value>[a-zA-Z]{2}</var-value><arg position="0" key="prompt.state"/><var></var>


<var-name>mask</var-name><var-value>\d{5}</var-value><arg position="0" key="prompt.zipcode"/><var></var>


<var-name>mask</var-name><var-value>^([0-9]{3})(-)([0-9]{4}|[0-9]{4})$</var-value><arg position="0" key="prompt.phone"/><var></var>
<arg position="0" key="prompt.email"/><field property="name" depends="required"></field><field property="address" depends="required"></field><field property="city" depends="required"></field><field property="state" depends="required,mask"></field><field property="zipcode" depends="required,mask"></field><field property="phone" depends="required,mask"></field><field property="email" depends="required,email"></field><form name="RegistrationForm"></form><formset></formset><form-validation></form-validation>

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

Visit http://cwe.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Nov. 23, 2024 8:24