Szczegóły CWE-147

CWE-147

Improper Neutralization of Input Terminators
Draft
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Powiadomienia dla konkretnego CWE
Bądź na bieżąco z wszelkimi zmianami dotyczącymi konkretnego CWE.
Zarządzaj powiadomieniami

Nazwa: Improper Neutralization of Input Terminators

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component.

Opis CWE

For example, a "." in SMTP signifies the end of mail message data, whereas a null character can be used for the end of a string.

Informacje ogólne

Sposoby wprowadzenia

Implementation

Odpowiednie platformy

Język

Class: Not Language-Specific (Undetermined)

Typowe konsekwencje

Zakres Wpływ Prawdopodobieństwo
IntegrityUnexpected State

Zaobserwowane przykłady

Odniesienia Opis

CVE-2000-0319

MFV. mail server does not properly identify terminator string to signify end of message, causing corruption, possibly in conjunction with off-by-one error.

CVE-2000-0320

MFV. mail server does not properly identify terminator string to signify end of message, causing corruption, possibly in conjunction with off-by-one error.

CVE-2001-0996

Mail server does not quote end-of-input terminator if it appears in the middle of a message.

CVE-2002-0001

Improperly terminated comment or phrase allows commands.

Potencjalne środki zaradcze

Developers should anticipate that terminators will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
Phases : Implementation
Phases : Implementation
While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).
Phases : Implementation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Uwagi dotyczące mapowania podatności

Uzasadnienie : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Komentarz : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Powiązane wzorce ataków

CAPEC-ID Nazwa wzorca ataku
CAPEC-460 HTTP Parameter Pollution (HPP)
An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.

Zgłoszenie

Nazwa Organizacja Data Data wydania Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modyfikacje

Nazwa Organizacja Data Komentarz
Eric Dalci Cigital 2008-07-01 +00:00 updated Potential_Mitigations, Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2008-10-14 +00:00 updated Description
CWE Content Team MITRE 2009-03-10 +00:00 updated Description, Name
CWE Content Team MITRE 2009-07-27 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2010-04-05 +00:00 updated Description, Name
CWE Content Team MITRE 2011-03-29 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-06-27 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-05-03 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms
CWE Content Team MITRE 2020-02-24 +00:00 updated Potential_Mitigations, Relationships
CWE Content Team MITRE 2020-06-25 +00:00 updated Potential_Mitigations, Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description, Potential_Mitigations
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-12-11 +00:00 updated Weakness_Ordinalities
Informacje prezentowane na CVE Find pochodzą z kilku starannie wybranych źródeł referencyjnych. Dane CVE są dostarczane przez MITRE Corporation i Narodową Bazę Podatności (NVD). Katalog znanych eksploatowanych podatności (KEV) pochodzi z Agencji ds. Bezpieczeństwa Cyberprzestrzeni i Infrastruktury (CISA), natomiast wyniki EPSS pochodzą z FIRST.org. Ponadto dane dotyczące słabości oprogramowania (CWE) i typowych wzorców ataków (CAPEC) są utrzymywane przez MITRE Corporation, a informacje o konfiguracjach sprzętu i oprogramowania (CPE) są dostarczane przez NVD.