CWE-224: Obscured Security-relevant Information by Alternate Name
The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.
Last updated
Overview
CWE-224 (Obscured Security-relevant Information by Alternate Name) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Common consequences
What can happen when CWE-224 is exploited.
Hide Activities, Gain Privileges or Assume Identity
Affects: Non-Repudiation, Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This code prints the contents of a file if a user has permission.
Vulnerable example
function readFile($filename){While the code logs a bad access attempt, it logs the user supplied name for the file, not the canonicalized file name. An attacker can obscure their target by giving the script the name of a link to the file they are attempting to access. Also note this code contains a race condition between the is_link() and readlink() functions (CWE-363).