Modes Of Introduction
Implementation : Developers might begin to develop a list of bad inputs as a fast way to fix a particular weakness, instead of fixing the root cause. See [REF-141].
Architecture and Design : The design might rely solely on detection of malicious inputs as a protection mechanism.
Applicable Platforms
Language
Class: Not Language-Specific (Undetermined)
Common Consequences
Scope |
Impact |
Likelihood |
Access Control | Bypass Protection Mechanism | |
Observed Examples
Reference |
Description |
CVE-2008-2309 | product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning |
CVE-2005-2782 | PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp". |
CVE-2004-0542 | Programming language does not filter certain shell metacharacters in Windows environment. |
CVE-2004-0595 | XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse. |
CVE-2005-3287 | Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited. |
CVE-2004-2351 | Resultant XSS when only
|