[EXT] CWE 98

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[EXT] CWE 98

Erez Yalon
Hello list,

This is regarding CWE 98, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion').
It seems like it is missing its full potential - many languages allow inclusion by file name, which would trivially be correct for every interpreted language, but also compiled ones - Java (using ClassLoader), .NET (using ReferencedAssemblies ) and even Cobol could allow an external source to provide the name for a library.
Wouldn't it make sense for CWE 98 to include all languages that can run code from external files, rather than *just* PHP?

Best,
Erez
Reply | Threaded
Open this post in threaded view
|

Re: [EXT] CWE 98

asummers
Administrator

Erez,

 

Thanks for your note, I hope you are well.

 

CWE is organized into various levels of specificity and detail. Entries can be organized into Categories (set of entries that share a common characteristic) but are labeled and organized according to their level of abstraction/detail as ‘class,’ ‘base,’ or ‘variant.’ CWE-98 is at the ‘variant’ level, which is the most specific/detailed level. A few sections down from the top on each CWE, you can reveal its relevant relationships according to different ‘views’ – i.e., ways of examining CWE content. Per the ‘Research’ view, CWE-98 is a child of CWE-706: Use of Incorrectly-Resolved Name or Reference and CWE-829: Inclusion of Functionality from Untrusted Control Sphere. These may be potential mappings for the types of weaknesses you mentioned. The reason variant-level CWE-98 was added to CWE was because it was a common weakness in PHP for which we have seen numerous real-world vulnerabilities. Do you feel that the other examples you mentioned are common, or just possible?

 

Thanks for reaching out and for your continued support of the CWE project!

 

Cheers,

Alec

 

-- 

Alec J. Summers

Cyber Solutions Division

Cyber Security Engineer, Lead

(781) 271-6970

 

signature_349105961

 

MITRE - Solving Problems for a Safer World

 

 

From: Erez Yalon <[hidden email]>
Date: Monday, August 26, 2019 at 8:20 AM
To: CWE Research Discussion <[hidden email]>
Subject: [EXT] CWE 98

 

Hello list,

 

This is regarding CWE 98, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion').

It seems like it is missing its full potential - many languages allow inclusion by file name, which would trivially be correct for every interpreted language, but also compiled ones - Java (using ClassLoader), .NET (using ReferencedAssemblies ) and even Cobol could allow an external source to provide the name for a library.

Wouldn't it make sense for CWE 98 to include all languages that can run code from external files, rather than *just* PHP?

 

Best,

Erez


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [EXT] CWE 98

Wojtek Andrijew
Hello,
I think that Alec has right. Although CWE-829 fully covers cases described by CWE-98, it is worth remembering that it is very often used to attacks PHP pages e.g. Wordpress engine (infected by trojans causes many network attacks).
But I believe that "Potential Mitigations" section could be update because mostly it is copied from the parent CWE.
From my perspective "minimum solution" could be that PHP mitigation's described at the end should be moved to the beginning of this section.
What do you think about this?

Off topic question: I see also that there is used "REALIZATION: This weakness is caused during implementation of an architectural security tactic." sentence in "Modes Of Introduction" section.
Are you sure that this is right?

Best regards,
Wojtek

Erez,

 

Thanks for your note, I hope you are well.

 

CWE is organized into various levels of specificity and detail. Entries can be organized into Categories (set of entries that share a common characteristic) but are labeled and organized according to their level of abstraction/detail as ‘class,’ ‘base,’ or ‘variant.’ CWE-98 is at the ‘variant’ level, which is the most specific/detailed level. A few sections down from the top on each CWE, you can reveal its relevant relationships according to different ‘views’ – i.e., ways of examining CWE content. Per the ‘Research’ view, CWE-98 is a child of CWE-706: Use of Incorrectly-Resolved Name or Reference and CWE-829: Inclusion of Functionality from Untrusted Control Sphere. These may be potential mappings for the types of weaknesses you mentioned. The reason variant-level CWE-98 was added to CWE was because it was a common weakness in PHP for which we have seen numerous real-world vulnerabilities. Do you feel that the other examples you mentioned are common, or just possible?

 

Thanks for reaching out and for your continued support of the CWE project!

 

Cheers,

Alec

 

-- 

Alec J. Summers

Cyber Solutions Division

Cyber Security Engineer, Lead

(781) 271-6970

 

signature_349105961

 

MITRE - Solving Problems for a Safer World

 

 

From: Erez Yalon [hidden email]
Date: Monday, August 26, 2019 at 8:20 AM
To: CWE Research Discussion [hidden email]
Subject: [EXT] CWE 98

 

Hello list,

 

This is regarding CWE 98, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion').

It seems like it is missing its full potential - many languages allow inclusion by file name, which would trivially be correct for every interpreted language, but also compiled ones - Java (using ClassLoader), .NET (using ReferencedAssemblies ) and even Cobol could allow an external source to provide the name for a library.

Wouldn't it make sense for CWE 98 to include all languages that can run code from external files, rather than *just* PHP?

 

Best,

Erez



--

Wojciech Andrijew

Senior Software Developer
Development
[hidden email]

Parasoft Polska Sp. z o.o.

Kiełkowskiego 9, 30-704 Kraków
P: +48 12 290 91 01, F: +48 12 290 91 02
NIP: PL679-31-26-896
www.parasoft.com

 


Parasoft Polska Sp. z o.o. z siedzibą w Krakowie ul. Kiełkowskiego 9, 30-704 Kraków | Zarejestrowana w Sądzie Rejonowym dla Krakowa Śródmieścia w Krakowie XI Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem KRS 613632 | NIP: 679-31-26-896 | Regon: 364258765 | Wysokość kapitału zakładowego: 5 000,00 zł.| Wysokość kapitału wpłaconego: 5 000,00 zł. 

Parasoft Polska Sp. z o.o. | Registered Office: Kraków, Kiełkowskiego 9, 30-704 Kraków | Commercial Registration: XI Commercial Division of the District Court for the Kraków Śródmieście under the KRS No.: 613632 | Share capital of PLN 5 000,00 fully covered | Tax identification number (NIP): PL6793126896 | REGON No.: 364258765

Niniejsza korespondencja przeznaczona jest wyłącznie dla podmiotów lub osób, do których jest zaadresowana i może zawierać treści chronione przepisami prawa. Wgląd w treść wiadomości otrzymanej omyłkowo, dalsze jej przekazywanie, rozpowszechnianie lub innego rodzaju wykorzystanie, bądź podjęcie jakichkolwiek działań w oparciu o zawarte w niej informacje przez osobę lub podmiot nie będący adresatem, jest niedozwolone. Odbiorca korespondencji, który otrzymał ją omyłkowo, proszony jest o zawiadomienie nadawcy i usunięcie tego materiału z komputera. 

The information in this e-mail or attachments thereto is intended for the attention and use of the addressee only.
If you are not the intended addressee/recipient, you are hereby notified that any disclosure, copying or distribution of the contents of this e-mail transmission or the taking of any action in reliance thereon or pursuant thereto, is strictly prohibited. Should you have received this e-mail in error, please delete or destroy it and any attachments thereto immediately. At no time may you act on the information contained there in.