CWE-66 标识虚拟资源的文件名处理不恰当

2021年12月16日16:27:37评论58 views字数 2250阅读7分30秒阅读模式

CWE-66 标识虚拟资源的文件名处理不恰当

Improper Handling of File Names that Identify Virtual Resources

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown

基本描述

The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.

扩展描述

Virtual file names are represented like normal file names, but they are effectively aliases for other resources that do not behave like normal files. Depending on their functionality, they could be alternate entities. They are not necessarily listed in directories.

相关缺陷

cwe_Nature: ChildOf cwe_CWE_ID: 706 cwe_View_ID: 1000 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围	影响	注释
Other	Other

检测方法

Automated Static Analysis - Binary or Bytecode

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

Bytecode Weakness Analysis - including disassembler + source code weakness analysis

Manual Static Analysis - Binary or Bytecode

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies

Dynamic Analysis with Automated Results Interpretation

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

Web Application Scanner
Web Services Scanner
Database Scanners

Dynamic Analysis with Manual Results Interpretation

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

Fuzz Tester
Framework-based Fuzzer

Manual Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

Focused Manual Spotcheck - Focused manual analysis of source
Manual Source Code Review (not inspections)

Automated Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

Source code Weakness Analyzer
Context-configured Source Code Weakness Analyzer

Architecture or Design Review

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

Formal Methods / Correct-By-Construction

Cost effective for partial coverage:

Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)

分类映射

映射的分类名	ImNode ID	Fit	Mapped Node Name
PLOVER			Virtual Files

文章来源于互联网:scap中文网

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

View-999: Weaknesses without Software Fault Patterns

View-884: CWE Cross-section

View-868: Weaknesses Addressed by the SEI CERT C++ Coding Standard (2016 Version)

View-844: Weaknesses Addressed by The CERT Oracle Secure Coding Standard for Java (2011)

View-809: Weaknesses in OWASP Top Ten (2010)

View-800: Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors

View-750: Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors

View-734: Weaknesses Addressed by the CERT C Secure Coding Standard (2008)

View-711: Weaknesses in OWASP Top Ten (2004)

View-709: Named Chains

本文由 admin 发表于 2021年12月16日16:27:37
转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出)：
CWE-66 标识虚拟资源的文件名处理不恰当https://cn-sec.com/archives/613059.html
免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉.

目录

在线咨询

13688888888

8888 QQ在线咨询

微信
本页二维码