Partial ComparisonID: 187 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Base |
Description
The software performs a comparison that only examines a portion
of a factor before determining whether there is a match, such as a substring,
leading to resultant weaknesses.
Extended DescriptionFor example, an attacker might succeed in authentication by providing a
small password that matches the associated portion of the larger, correct
password.
Applicable PlatformsLanguage Class: All
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
IntegrityAccess_Control | Alter execution
logicBypass protection
mechanism | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Testing | | Thoroughly test the comparison scheme before deploying code into
production. Perform positive testing as well as negative testing. | | |
RelationshipsThis is conceptually similar to other weaknesses, such as insufficient
verification and regular expression errors. It is primary to some
weaknesses.
Related CWE | Type | View | Chain |
---|
CWE-187 ChildOf CWE-907 | Category | CWE-888 | |
Demonstrative Examples (Details)
- This example defines a fixed username and password. The
AuthenticateUser() function is intended to accept a username and a password
from an untrusted user, and check to ensure that it matches the username and
password. If the username and password match, AuthenticateUser() is intended
to indicate that authentication succeeded.
Observed Examples
- CVE-2004-1012 : Argument parser of an IMAP server treats a partial command "body[p" as if it is "body.peek", leading to index error and out-of-bounds corruption.
- CVE-2004-0765 : Web browser only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN), which allows remote attackers to spoof trusted certificates.
- CVE-2002-1374 : One-character password by attacker checks only against first character of real password.
- CVE-2000-0979 : One-character password by attacker checks only against first character of real password.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Partial Comparison | |
References:None