CWE-234 Détail

CWE-234

Nom

Failure to Handle Missing Parameter

Probabilité

Haute

Statut

Incomplete

Publié

2006-07-19
00h00 +00:00

Modifié

2024-02-29
00h00 +00:00

Liens officiels

CWE Mitre.org

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Gestion des notifications

Liste des Notifications

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez le CWE ID que vous désirez surveiller.

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Nom: Failure to Handle Missing Parameter

If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.

Informations générales

Modes d'introduction

Implementation

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Conséquences courantes

Portée	Impact	Probabilité
Integrity Confidentiality Availability Access Control	Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity Note: There is the potential for arbitrary code execution with privileges of the vulnerable program if function parameter list is exhausted.
Availability	DoS: Crash, Exit, or Restart Note: Potentially a program could fail if it needs more arguments then are available.

Exemples observés

Références	Description
CVE-2004-0276	Server earlier allows remote attackers to cause a denial of service (crash) via an HTTP request with a sequence of "%" characters and a missing Host field.
CVE-2002-1488	Chat client allows remote malicious IRC servers to cause a denial of service (crash) via a PART message with (1) a missing channel or (2) a channel that the user is not in.
CVE-2002-1169	Proxy allows remote attackers to cause a denial of service (crash) via an HTTP request to helpout.exe with a missing HTTP version numbers.
CVE-2000-0521	Web server allows disclosure of CGI source code via an HTTP request without the version number.
CVE-2001-0590	Application server allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification.
CVE-2003-0239	Chat software allows remote attackers to cause a denial of service via malformed GIF89a headers that do not contain a GCT (Global Color Table) or an LCT (Local Color Table) after an Image Descriptor.
CVE-2002-1023	Server allows remote attackers to cause a denial of service (crash) via an HTTP GET request without a URI.
CVE-2002-1236	CGI crashes when called without any arguments.
CVE-2003-0422	CGI crashes when called without any arguments.
CVE-2002-1531	Crash in HTTP request without a Content-Length field.
CVE-2002-1077	Crash in HTTP request without a Content-Length field.
CVE-2002-1358	Empty elements/strings in protocol test suite affect many SSH2 servers/clients.
CVE-2003-0477	FTP server crashes in PORT command without an argument.
CVE-2002-0107	Resultant infoleak in web server via GET requests without HTTP/1.0 version string.
CVE-2002-0596	GET request with empty parameter leads to error message infoleak (path disclosure).

Mesures d’atténuation potentielles

Phases : Build and Compilation
This issue can be simply combated with the use of proper build process.
Phases : Implementation
Forward declare all functions. This is the recommended solution. Properly forward declaration of all used functions will result in a compiler error if too few arguments are sent to a function.

Notes de cartographie des vulnérabilités

Justification : This CWE entry could be deprecated in a future version of CWE.
Commentaire : See maintenance notes.

NotesNotes

This entry will be deprecated in a future version of CWE. The term "missing parameter" was used in both PLOVER and CLASP, with completely different meanings. However, data from both taxonomies was merged into this entry. In PLOVER, it was meant to cover malformed inputs that do not contain required parameters, such as a missing parameter in a CGI request. This entry's observed examples and classification came from PLOVER. However, the description, demonstrative example, and other information are derived from CLASP. They are related to an incorrect number of function arguments, which is already covered by CWE-685.

Soumission

Nom	Organisation	Date	Date de publication	Version
PLOVER		2006-07-19 +00:00	2006-07-19 +00:00	Draft 3

Modifications

Nom	Organisation	Date	Commentaire
Eric Dalci	Cigital	2008-07-01 +00:00	updated Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Common_Consequences, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings
CWE Content Team	MITRE	2008-11-24 +00:00	updated Observed_Examples
CWE Content Team	MITRE	2009-03-09 +00:00	added maintenance note: this entry will probably be deprecated
CWE Content Team	MITRE	2009-03-10 +00:00	updated Maintenance_Notes, Other_Notes, Potential_Mitigations
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2012-05-11 +00:00	updated Observed_Examples, Relationships
CWE Content Team	MITRE	2013-07-17 +00:00	updated Type
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2017-11-08 +00:00	updated Applicable_Platforms, Demonstrative_Examples
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships, Time_of_Introduction
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2024-02-29 +00:00	updated Mapping_Notes

Détail du CWE-234