Externally Controlled Reference to a Resource in Another Sphere
Weakness ID: 610 (Weakness Class)Status: Draft
+ Description

Description Summary

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

Extended Description

+ Time of Introduction
  • Architecture and Design
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory265Privilege / Sandbox Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class664Improper Control of a Resource Through its Lifetime
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base15External Control of System or Configuration Setting
Research Concepts1000
ParentOfWeakness ClassWeakness Class73External Control of File Name or Path
Research Concepts1000
ParentOfWeakness BaseWeakness Base441Unintended Proxy/Intermediary
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant601URL Redirection to Untrusted Site ('Open Redirect')
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant611Information Leak Through XML External Entity File Disclosure
Research Concepts1000
PeerOfWeakness BaseWeakness Base386Symbolic Name not Mapping to Correct Object
Research Concepts1000
+ Relationship Notes

This is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will "follow" a symbolic link and use the link's target instead.

+ Content History
Submission DateSubmitterOrganizationSource
Anonymous Tool Vendor (under NDA)Externally Mined
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, Taxonomy Mappings
2009-10-29CWE Content TeamMITREInternal
updated Other Notes, Relationship Notes
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Externally Controlled Reference to an Internal Resource