CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Description

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

Software or other automated logic has certain assumptions about what constitutes data and control respectively. It is the lack of verification of these assumptions for user-controlled input that leads to injection problems. Injection problems encompass a wide variety of issues -- all mitigated in very different ways and usually attempted in order to alter the control flow of the process. For this reason, the most effective way to discuss these weaknesses is to note the distinct features that classify them as injection weaknesses. The most important issue to note is that all injection problems share one thing in common -- i.e., they allow for the injection of control plane data into the user-controlled data plane. This means that the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism. While buffer overflows, and many other flaws, involve the use of some further issue to gain execution, injection problems need only for the data to be parsed.

Example Vulnerable Codes

Example - 1

This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.


$userName = $_POST["user"];$command = 'ls -l /home/' . $userName;system($command);

The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:

;rm -rf /

Which would result in $command being:

ls -l /home/;rm -rf /

Since the semi-colon is a command separator in Unix, the OS would first execute the ls command, then the rm command, deleting the entire file system.

Also note that this example code is vulnerable to Path Traversal (CWE-22) and Untrusted Search Path (CWE-426) attacks.

Example - 2

Consider the following program. It intends to perform an "ls -l" on an input filename. The validate_name() subroutine performs validation on the input to make sure that only alphanumeric and "-" characters are allowed, which avoids path traversal (CWE-22) and OS command injection (CWE-78) weaknesses. Only filenames like "abc" or "d-e-f" are intended to be allowed.




print "Error: name is not well-formed!\n";return;
// # build command// 
my($fname) = @_;if (! validate_name($fname)) {}my $cmd = "/bin/ls -l $fname";system($cmd);


return(1);

return(0);
my($name) = @_;if ($name =~ /^[\w\-]+$/) {}else {}my $arg = GetArgument("filename");do_listing($arg);sub do_listing {}sub validate_name {}

However, validate_name() alowsfilenames that begin with a "-". An adversary couldsupply a filename like "-aR", producing the "ls -l -aR"command (CWE-88), thereby getting a full recursivelisting of the entire directory and all of itssub-directories.There are a couple possible mitigations for thisweakness. One would be to refactor the code to avoidusing system() altogether, instead relying on internalfunctions.Another option could be to add a "--" argumentto the ls command, such as "ls -l --", so that anyremaining arguments are treated as filenames, causingany leading "-" to be treated as part of a filenameinstead of another option.Another fix might be to change the regular expression used in validate_name to force the first character of the filename to be a letter or number, such as:

if ($name =~ /^\w[\w\-]+$/) ...

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-20: Improper Input Validation
Go to
CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Go to
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Go to
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Go to
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Go to
CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Go to
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Go to
CWE-91: XML Injection (aka Blind XPath Injection)
Go to
CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
Go to
CWE-94: Improper Control of Generation of Code ('Code Injection')
Go to
CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
Go to
CWE-116: Improper Encoding or Escaping of Output
Go to
CWE-707: Improper Neutralization
Go to
CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Go to
CWE-943: Improper Neutralization of Special Elements in Data Query Logic
Go to
CWE-1236: Improper Neutralization of Formula Elements in a CSV File
Go to

Visit http://cwe.mitre.org/ for more details.