Failure to Handle Missing Parameter |
| Weakness ID: 234 (Weakness Base) | Status: Incomplete |
DescriptionDescription Summary
Time of Introduction- Architecture and Design
- Implementation
Applicable PlatformsLanguages
All
Common Consequences| Scope | Effect |
|---|---|
Authorization | There is the potential for arbitrary code execution with privileges of the vulnerable program if function parameter list is exhausted. |
Availability | Potentially a program could fail if it needs more arguments then are available. |
Likelihood of ExploitHigh
Demonstrative ExamplesExample 1
This can be exploited to disclose information with no work whatsoever. In fact, each time this function is run, it will print out the next 4 bytes on the stack after the two numbers sent to it.
Observed Examples| Reference | Description |
|---|---|
| CVE-2004-0276 | |
| CVE-2002-1488 | |
| CVE-2002-1169 | |
| CVE-2000-0521 | Web server allows disclosure of CGI source code via an HTTP request without the version number. |
| CVE-2001-0590 | |
| CVE-2003-0239 | |
| CVE-2002-1023 | |
| CVE-2002-1236 | CGI crashes when called without any arguments. |
| CVE-2003-0422 | CGI crashes when called without any arguments. |
| CVE-2002-1531 | Crash in HTTP request without a Content-Length field. |
| CVE-2002-1077 | Crash in HTTP request without a Content-Length field. |
| CVE-2002-1358 | Empty elements/strings in protocol test suite affect many SSH2 servers/clients. |
| CVE-2003-0477 | FTP server crashes in PORT command without an argument. |
| CVE-2002-0107 | Resultant infoleak in web server via GET requests without HTTP/1.0 version string. |
| CVE-2002-0596 | GET request with empty parameter leads to error message infoleak (path disclosure). |
Potential MitigationsPhase: Build and Compilation This issue can be simply combated with the use of proper build process. |
Phase: Implementation Forward declare all functions. This is the recommended solution. Properly forward declaration of all used functions will result in a compiler error if too few arguments are sent to a function. |
Relationships| Nature | Type | ID | Name | View(s) this relationship pertains to |
|---|---|---|---|---|
| ChildOf |  Weakness Class | 233 | Parameter Problems | Development Concepts (primary)699 Research Concepts (primary)1000 |
Taxonomy Mappings| Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Missing Parameter Error | ||
| CLASP | Missing parameter |
Maintenance Notes| This entry will be deprecated in a future version of CWE. The term "missing parameter" was used in both PLOVER and CLASP, with completely different meanings. However, data from both taxonomies was merged into this entry. In PLOVER, it was meant to cover malformed inputs that do not contain required parameters, such as a missing parameter in a CGI request. This entry's observed examples and classification came from PLOVER. However, the description, demonstrative example, and other information are derived from CLASP. They are related to an incorrect number of function arguments, which is already covered by CWE-685. |
Content History| Submissions | ||||
|---|---|---|---|---|
| Submission Date | Submitter | Organization | Source | |
| PLOVER | Externally Mined | |||
| Modifications | ||||
| Modification Date | Modifier | Organization | Source | |
| 2008-07-01 | Eric Dalci | Cigital | External | |
| updated Time of Introduction | ||||
| 2008-09-08 | CWE Content Team | MITRE | Internal | |
| updated Common Consequences, Relationships, Observed Example, Other Notes, Taxonomy Mappings | ||||
| 2008-11-24 | CWE Content Team | MITRE | Internal | |
| updated Observed Examples | ||||
| 2009-03-09 (Critical) | CWE Content Team | MITRE | Internal | |
| added maintenance note: this entry will probably be deprecated | ||||
| 2009-03-10 | CWE Content Team | MITRE | Internal | |
| updated Maintenance Notes, Other Notes, Potential Mitigations | ||||
| Previous Entry Names | ||||
| Change Date | Previous Entry Name | |||
| 2008-04-11 | Missing Parameter Error | |||
