CWE - 74 : Failure to Sanitize Data into a Different Plane ('Injection')
CWE Definition
|
http://cwe.mitre.org/data/definitions/74.html
|
Number of vulnerabilities:
|
846
|
Description
|
The software fails to adequately filter user-controlled input
data for syntax that has control-plane implications.Software has certain assumptions about what constitutes data and control
respectively. It is the lack of verification of these assumptions for
user-controlled input that leads to injection problems. Injection problems
encompass a wide variety of issues -- all mitigated in very different ways
and usually attempted in order to alter the control flow of the process. For
this reason, the most effective way to discuss these weaknesses is to note
the distinct features which classify them as injection weaknesses. The most
important issue to note is that all injection problems share one thing in
common -- i.e., they allow for the injection of control plane data into the
user-controlled data plane. This means that the execution of the process may
be altered by sending code in through legitimate data channels, using no
other mechanism. While buffer overflows, and many other flaws, involve the
use of some further issue to gain execution, injection problems need only
for the data to be parsed. The most classic instantiations of this category
of weakness are SQL injection and format string vulnerabilities. |
Background Details
|
|
Other Notes
|
|
|
|
Warning! CWE definitions are provided as a quick reference. They are
not complete and may not be up to date!
You must visit
http://cwe.mitre.org/ for a complete list of CWE entries
and for more details.