CWE-184

Name

Incomplete List of Disallowed Inputs

Status

Draft

Published

2006-07-19 00:00 +00:00

Last Modified

2023-06-29 00:00 +00:00

Official links

CWE Mitre.org

Alerte pour un CWE

Stay informed of any changes for a specific CWE.

Alert management

List of Alerts

Alerte pour un CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.

Extended Description

Developers often try to protect their products against malicious input by performing tests against inputs that are known to be bad, such as special characters that can invoke new commands. However, such lists often only account for the most well-known bad inputs. Attackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism.

Informations

Modes Of Introduction

Implementation : Developers might begin to develop a list of bad inputs as a fast way to fix a particular weakness, instead of fixing the root cause. See [REF-141].
Architecture and Design : The design might rely solely on detection of malicious inputs as a protection mechanism.

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Access Control	Bypass Protection Mechanism

Observed Examples

Reference	Description
CVE-2008-2309	product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning
CVE-2005-2782	PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp".
CVE-2004-0542	Programming language does not filter certain shell metacharacters in Windows environment.
CVE-2004-0595	XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse.
CVE-2005-3287	Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited.
CVE-2004-2351	Resultant XSS when only

Lists Vulnerabilities

Sorted by Year

CVE Statistics

Specific Views

Vendors List

Products List

Lists CWE

Specific Views

Lasts 7 CWE

Lists CAPEC

Specifics Views

7 Lasts CAPEC

CWE-184

Alerte pour un CWE

Functionality requiring a connection

Incomplete List of Disallowed Inputs

Extended Description

Informations

Modes Of Introduction

Applicable Platforms

Language

Common Consequences

Observed Examples

Lists Vulnerabilities

Sorted by Year

CVE Statistics

Specific Views

CVE

OWASP

CISA KEV

Vendors List

Products List

Lists CWE

Specific Views

Lasts 7 CWE

Lists CAPEC

Specifics Views

7 Lasts CAPEC

No result found

Alert System

CWE-184 Detail

CWE-184

Alerte pour un CWE

Incomplete List of Disallowed Inputs

Extended Description

Informations

Modes Of Introduction

Applicable Platforms

Language

Common Consequences

Observed Examples