CWE-67

Improper Handling of Windows Device Names

AI Translation Available

The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

Status

incomplete

Abstraction

variant

Likelihood

high

Affected Platforms

Extended Description

AI Translation

Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A product that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.

Technical Details

AI Translation

Common Consequences

availability confidentiality other

Impacts

dos: crash, exit, or restart read application data other

Potential Mitigations

Phases:

implementation

Descriptions:

• Be familiar with the device names in the operating system where your system is deployed. Check input for these device names.

Functional Areas

file processing

AI Generated Translation

Common Consequences

disponibilità riservatezza altro

Impacts

dos: crash, uscita o riavvio leggere dati applicazione altro

Potential Mitigations

Phases:

implementazione

Descriptions:

• Familiarizzati con i nomi dei dispositivi nel sistema operativo in cui è distribuito il vostro sistema. Verificate l'input per questi nomi di dispositivi.

Functional Areas

elaborazione file

CWE-67

Common Consequences

Impacts

Potential Mitigations

Functional Areas

Common Consequences

Impacts

Potential Mitigations

Functional Areas

Iscriviti alla newsletter