CWE-150

Nome

Improper Neutralization of Escape, Meta, or Control Sequences

Status

Incomplete

Publicado

2006-07-19
00h00 +00:00

Modificado

2025-12-11
00h00 +00:00

Links oficiais

CWE Mitre.org

Notificações para um CWE

Fique informado sobre quaisquer alterações para um CWE específico.

Gerenciar notificações

Alertas personalizados

Ative seus alertas personalizados!

Para ativar seus alertas, basta estar conectado à sua conta gratuita. Se ainda não estiver conectado, escolha uma das opções abaixo.

Entrar na sua conta Criar uma conta Gratuita

Notificações para um CWE

Fique informado sobre quaisquer alterações para um CWE específico.

Parâmetros

Você pode especificar um título que será recuperado nos alertas que serão enviados.

Especifique o ID do CWE que deseja monitorar.

Agendamento

Mês

Cálculo da próxima execução

Dia

Dia da semana

Hora

Minuto

Data de criação

Última execução

Próxima execução

Nome: Improper Neutralization of Escape, Meta, or Control Sequences

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

Descrição CWE

As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.

Informações Gerais

Modos de Introdução

Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Plataformas Aplicáveis

Linguagem

Class: Not Language-Specific (Undetermined)

Consequências Comuns

Escopo	Impacto	Probabilidade
Integrity	Unexpected State

Exemplos Observados

Referências	Descrição
CVE-2002-0542	The mail program processes special "~" escape sequence even when not in interactive mode.
CVE-2000-0703	Setuid program does not filter escape sequences before calling mail program.
CVE-2002-0986	Mail function does not filter control characters from arguments, allowing mail message content to be modified.
CVE-2003-0020	Multi-channel issue. Terminal escape sequences not filtered from log files.
CVE-2003-0083	Multi-channel issue. Terminal escape sequences not filtered from log files.
CVE-2003-0021	Terminal escape sequences not filtered by terminals when displaying files.
CVE-2003-0022	Terminal escape sequences not filtered by terminals when displaying files.
CVE-2003-0023	Terminal escape sequences not filtered by terminals when displaying files.
CVE-2003-0063	Terminal escape sequences not filtered by terminals when displaying files.
CVE-2000-0476	Terminal escape sequences not filtered by terminals when displaying files.
CVE-2001-1556	MFV. (multi-channel). Injection of control characters into log files that allow information hiding when using raw Unix programs to read the files.

Mitigações Potenciais

Developers should anticipate that escape, meta and control characters/sequences will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
Phases : Implementation
Phases : Implementation
While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).
Phases : Implementation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Métodos de Detecção

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Eficácia : High

Notas de Mapeamento de Vulnerabilidade

Justificativa : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentário : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Padrões de Ataque Relacionados

CAPEC-ID	Nome do Padrão de Ataque
CAPEC-134	Email Injection An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol.
CAPEC-41	Using Meta-characters in E-mail Headers to Inject Malicious Payloads This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.
CAPEC-81	Web Server Logs Tampering Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
CAPEC-93	Log Injection-Tampering-Forging This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.

Submissão

Nome	Organização	Data	Data de lançamento	Version
PLOVER		2006-07-19 +00:00	2006-07-19 +00:00	Draft 3

Modificações

Nome	Organização	Data	Comentário
Eric Dalci	Cigital	2008-07-01 +00:00	updated Potential_Mitigations, Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2008-10-14 +00:00	updated Description
CWE Content Team	MITRE	2009-07-27 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2010-04-05 +00:00	updated Description, Name
CWE Content Team	MITRE	2011-03-29 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences, Observed_Examples, Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2011-06-27 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2012-05-11 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2012-10-30 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2017-05-03 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2017-11-08 +00:00	updated Applicable_Platforms, Modes_of_Introduction, Relationships
CWE Content Team	MITRE	2019-01-03 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2019-06-20 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2020-02-24 +00:00	updated Potential_Mitigations, Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2020-06-25 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description, Potential_Mitigations
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2025-12-11 +00:00	updated Detection_Factors, Weakness_Ordinalities

CWE-150 Detalhe