Externally Controlled Reference to a Resource in Another Sphere |
Weakness ID: 610 (Weakness Class) | Status: Draft |
Description Summary
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Extended Description
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 265 | Privilege / Sandbox Issues | Development Concepts (primary)699 |
ChildOf | Weakness Class | 664 | Improper Control of a Resource Through its Lifetime | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 15 | External Control of System or Configuration Setting | Research Concepts1000 |
ParentOf | Weakness Class | 73 | External Control of File Name or Path | Research Concepts1000 |
ParentOf | Weakness Base | 441 | Unintended Proxy/Intermediary | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 601 | URL Redirection to Untrusted Site ('Open Redirect') | Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 611 | Information Leak Through XML External Entity File Disclosure | Research Concepts1000 |
PeerOf | Weakness Base | 386 | Symbolic Name not Mapping to Correct Object | Research Concepts1000 |
This is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will "follow" a symbolic link and use the link's target instead. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
Anonymous Tool Vendor (under NDA) | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Other Notes, Taxonomy Mappings | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Other Notes, Relationship Notes | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Externally Controlled Reference to an Internal Resource | |||