[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

249622

 
 

909

 
 

195549

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Partial Comparison

ID: 187Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base





Description

The software performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.

Extended Description

For example, an attacker might succeed in authentication by providing a small password that matches the associated portion of the larger, correct password.

Applicable Platforms
Language Class: All

Time Of Introduction

  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Integrity
Access_Control
 		Alter execution logic
Bypass protection mechanism
 		 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Testing
 		 Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.
 		  

Relationships
This is conceptually similar to other weaknesses, such as insufficient verification and regular expression errors. It is primary to some weaknesses.

Related CWETypeViewChain
CWE-187 ChildOf CWE-907 Category CWE-888  

Demonstrative Examples   (Details)

  1. This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.

Observed Examples

  1. CVE-2004-1012 : Argument parser of an IMAP server treats a partial command "body[p" as if it is "body.peek", leading to index error and out-of-bounds corruption.
  2. CVE-2004-0765 : Web browser only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN), which allows remote attackers to spoof trusted certificates.
  3. CVE-2002-1374 : One-character password by attacker checks only against first character of real password.
  4. CVE-2000-0979 : One-character password by attacker checks only against first character of real password.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Partial Comparison
 		 

References:
None

© SecPod Technologies