Thanks for your note, I hope you are well.
CWE is organized into various levels of specificity and detail. Entries can be organized into Categories (set of entries that share a common characteristic) but are labeled and organized according to their level of abstraction/detail as ‘class,’ ‘base,’ or ‘variant.’ CWE-98 is at the ‘variant’ level, which is the most specific/detailed level. A few sections down from the top on each CWE, you can reveal its relevant relationships according to different ‘views’ – i.e., ways of examining CWE content. Per the ‘Research’ view, CWE-98 is a child of CWE-706: Use of Incorrectly-Resolved Name or Reference and CWE-829: Inclusion of Functionality from Untrusted Control Sphere. These may be potential mappings for the types of weaknesses you mentioned. The reason variant-level CWE-98 was added to CWE was because it was a common weakness in PHP for which we have seen numerous real-world vulnerabilities. Do you feel that the other examples you mentioned are common, or just possible?
Thanks for reaching out and for your continued support of the CWE project!
This is regarding CWE 98, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion').
It seems like it is missing its full potential - many languages allow inclusion by file name, which would trivially be correct for every interpreted language, but also compiled ones - Java (using ClassLoader), .NET (using ReferencedAssemblies ) and even Cobol could allow an external source to provide the name for a library.
Wouldn't it make sense for CWE 98 to include all languages that can run code from external files, rather than *just* PHP?
smime.p7s (6K) Download Attachment
I think that Alec has right. Although CWE-829 fully covers cases described by CWE-98, it is worth remembering that it is very often used to attacks PHP pages e.g. Wordpress engine (infected by trojans causes many network attacks).
But I believe that "Potential Mitigations" section could be update because mostly it is copied from the parent CWE.
From my perspective "minimum solution" could be that PHP mitigation's described at the end should be moved to the beginning of this section.
What do you think about this?
Off topic question: I see also that there is used "REALIZATION: This weakness is caused during implementation of an architectural security tactic." sentence in "Modes Of Introduction" section.
Are you sure that this is right?
|Free forum by Nabble||Edit this page|