CWE-430: Deployment of Wrong Handler
| Abstraction | Structure | Status |
|---|---|---|
| None | Simple | Incomplete |
Description
The wrong “handler” is assigned to process an object.
Extended Description
An example of deploying the wrong handler would be calling a servlet to reveal source code of a .JSP file, or automatically “determining” type of the object even if it is contradictory to an explicitly specified type.
Related Weaknesses
| Nature | ID | View ID | Name |
|---|---|---|---|
| ChildOf | CWE-691 | 1000 | Insufficient Control Flow Management |
| CanPrecede | CWE-433 | 1000 | Unparsed Raw Web Content Delivery |
| PeerOf | CWE-434 | 1000 | Unrestricted Upload of File with Dangerous Type |
Modes of Introduction
| Phase | Note |
|---|---|
| Implementation | - |
Applicable Platforms
Languages
Class: Not Language-Specific
Technologies
Common Consequences
| Scope | Impact | Note |
|---|---|---|
| Integrity, Other | Varies by Context, Unexpected State |
Potential Mitigations
Architecture and Design
Perform a type check before interpreting an object.
Architecture and Design
Reject any inconsistent types, such as a file with a .GIF extension that appears to consist of PHP code.
Observed Examples
- CVE-2001-0004: Source code disclosure via manipulated file extension that causes parsing by wrong DLL.
- CVE-2002-0025: Web browser does not properly handle the Content-Type header field, causing a different application to process the document.
- CVE-2000-1052: Source code disclosure by directly invoking a servlet.
- CVE-2002-1742: Arbitrary Perl functions can be loaded by calling a non-existent function that activates a handler.