The software calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses. While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers or types of arguments, such as format strings in C. It also can occur in languages or environments that do not enforce strong typing. 1000 699 Weakness ChildOf 628 888 Category ChildOf 885 Primary Implementation This problem typically occurs when the programmer makes a typo, or copy and paste errors. Other Quality degradation Implementation Use the function, procedure, or routine as specified. Testing Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the software. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type. The following PHP method authenticates a user given a username/password combination but is called with the parameters in reverse order. PHP function authenticate($username, $password) { // authenticate user ... } authenticate($_POST['password'], $_POST['username']); CVE-2006-7049 Application calls functions with arguments in the wrong order, allowing attacker to bypass intended access restrictions. Sean Eidemiller Cigital 2008-07-01 added/updated demonstrative examples Eric Dalci Cigital 2008-07-01 updated Potential_Mitigations CWE Content Team MITRE 2008-09-08 updated Description, Relationships, Other_Notes, Weakness_Ordinalities CWE Content Team MITRE 2009-05-27 updated Demonstrative_Examples CWE Content Team MITRE 2009-10-29 updated Modes_of_Introduction, Other_Notes, Potential_Mitigations CWE Content Team MITRE 2011-06-01 updated Common_Consequences CWE Content Team MITRE 2011-06-27 updated Common_Consequences CWE Content Team MITRE 2012-05-11 updated Demonstrative_Examples, Relationships CWE Content Team MITRE 2012-10-30 updated Potential_Mitigations