Modification of Assumed-Immutable Data (MAID) |
Weakness ID: 471 (Weakness Base) | Status: Draft |
Description Summary
Example 1
In the code excerpt below, an array returned by a Java method is modified despite the fact that arrays are mutable.
Reference | Description |
---|---|
CVE-2002-1757 | Relies on $PHP SELF variable for authentication. |
CVE-2005-1905 | Gain privileges by modifying assumed-immutable code addresses that are accessed by a driver. |
Phases: Architecture and Design; Operation; Implementation Implement proper protection for immutable data (e.g. environment variable, hidden form fields, etc.) |
Factors: MAID issues can be primary to many other weaknesses, and they are a major factor in languages such as PHP. This happens when a particular input is critical enough to the functioning of the application that it should not be modifiable at all, but it is. A common programmer assumption is that certain variables are immutable; especially consider hidden form fields in web applications. So there are many examples where the MUTABILITY property is a major factor in a vulnerability. Common data types that are attacked are environment variables, web application parameters, and HTTP headers. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 19 | Data Handling | Development Concepts (primary)699 |
ChildOf | Weakness Class | 664 | Improper Control of a Resource Through its Lifetime | Research Concepts (primary)1000 |
RequiredBy | Compound Element: Composite | 291 | Trusting Self-reported IP Address | Research Concepts1000 |
RequiredBy | Compound Element: Composite | 426 | Untrusted Search Path | Research Concepts1000 |
ParentOf | Weakness Base | 472 | External Control of Assumed-Immutable Web Parameter | Development Concepts (primary)699 Research Concepts1000 |
ParentOf | Weakness Variant | 473 | PHP External Variable Modification | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 607 | Public Static Final Field References Mutable Object | Development Concepts699 Research Concepts (primary)1000 |
CanFollow | Weakness Base | 425 | Direct Request ('Forced Browsing') | Research Concepts1000 |
CanFollow | Weakness Base | 602 | Client-Side Enforcement of Server-Side Security | Research Concepts1000 |
PeerOf | Weakness Base | 621 | Variable Extraction Error | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Modification of Assumed-Immutable Data |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Sean Eidemiller | Cigital | External | |
added/updated demonstrative examples | ||||
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Other Notes, Taxonomy Mappings | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Other Notes |