CWE

Improper Neutralization of Equivalent Special Elements

ID: 76		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: DRAFT
Abstraction Type: Base

Description

The software properly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.

Extended Description

The software may have a fixed list of special characters it believes is complete. However, there may be alternate encodings, or representations that also have the same meaning. For example, the software may filter out a leading slash (/) to prevent absolute path names, but does not account for a tilde (~) followed by a user name, which on some *nix systems could be expanded to an absolute pathname. Alternately, the software might filter a dangerous "-e" command-line switch when calling an external program, but it might not account for "--exec" or other switches that have the same semantics.

Likelihood of Exploit: High to Very High

Applicable Platforms
Language Class: All

Time Of Introduction

• Architecture and Design
• Implementation

Common Consequences

Scope	Technical Impact	Notes
Other	Other

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
Requirements		Programming languages and supporting technologies might be chosen which are not subject to these issues.
Implementation		Utilize an appropriate mix of white-list and black-list parsing to filter equivalent special element syntax from all input.

Relationships

Related CWE	Type	View	Chain
CWE-76 ChildOf CWE-896	Category	CWE-888

Demonstrative Examples
None

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
PLOVER		Equivalent Special Element Injection

References:
None