Improper Handling of Windows Device Names |
Weakness ID: 67 (Weakness Variant) | Status: Incomplete |
Description Summary
Extended Description
Failing to properly handle virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A software system that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.
Be familiar with the device names in the operating system where your system is deployed. Check input for these device names. |
Historically, there was a bug in the Windows operating system that caused a blue screen of death. Even after that issue was fixed DOS device names continue to be a factor. |
Ordinality | Description |
---|---|
Resultant | (where the weakness is typically related to the presence of some other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Base | 66 | Improper Handling of File Names that Identify Virtual Resources | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | Category | 68 | Windows Virtual File Problems | Resource-specific Weaknesses631 |
ChildOf | Category | 632 | Weaknesses that Affect Files or Directories | Resource-specific Weaknesses (primary)631 |
ChildOf | Category | 743 | CERT C Secure Coding Section 09 - Input Output (FIO) | Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Windows MS-DOS device names | ||
CERT C Secure Coding | FIO32-C | Do not perform operations on devices that are only appropriate for files |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Applicable Platforms, Relationships, Other Notes, Taxonomy Mappings, Weakness Ordinalities | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Description | ||||
2008-11-24 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Description, Name | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Background Details, Other Notes | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Windows MS-DOS Device Names | |||
2009-03-10 | Failure to Handle Windows Device Names | |||