Return of Wrong Status Code |
Weakness ID: 393 (Weakness Base) | Status: Draft |
Description Summary
A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.
Extended Description
This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the wrong status code can cause the software to assume that an action is safe, even when it is not.
Example 1
In the following example, an HTTP 404 status code is returned in the event of an IOException encountered in a Java servlet. A 404 code is typically meant to indicate a non-existent resource and would be somewhat misleading in this case.
(Bad Code)
Example Language: Java
try {
// something that might throw IOException
...
} catch (IOException ioe) {
response.sendError(SC_NOT_FOUND);
}
Reference | Description |
---|---|
CVE-2003-1132 | DNS server returns wrong response code for non-existent AAAA record, which effectively says that the domain is inaccessible. |
CVE-2001-1509 | Hardware-specific implementation of system call causes incorrect results from geteuid. |
CVE-2001-1559 | System call returns wrong value, leading to a resultant NULL dereference. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 389 | Error Conditions, Return Values, Status Codes | Development Concepts (primary)699 |
ChildOf | Weakness Base | 684 | Failure to Provide Specified Functionality | Research Concepts (primary)1000 |
ChildOf | Weakness Class | 703 | Failure to Handle Exceptional Conditions | Research Concepts1000 |
This can be primary or resultant, but it is probably most often primary to other issues. |
This probably overlaps various categories, especially those related to error handling. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Sean Eidemiller | Cigital | External | |
added/updated demonstrative examples | ||||
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Maintenance Notes, Relationships, Other Notes, Taxonomy Mappings | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Description | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Wrong Status Code | |||