CWE-430

Deployment of Wrong Handler

Base

What it is

The wrong "handler" is assigned to process an object.

An example of deploying the wrong handler would be calling a servlet to reveal source code of a .JSP file, or automatically "determining" type of the object even if it is contradictory to an explicitly specified type.

Impact

Integrity, Other

Varies by Context, Unexpected State

Mitigations

[Architecture and Design] Perform a type check before interpreting an object.
[Architecture and Design] Reject any inconsistent types, such as a file with a .GIF extension that appears to consist of PHP code.

Real-world CVE examples

CVE-2001-0004 — Source code disclosure via manipulated file extension that causes parsing by wrong DLL.
CVE-2002-0025 — Web browser does not properly handle the Content-Type header field, causing a different application to process the document.
CVE-2000-1052 — Source code disclosure by directly invoking a servlet.
CVE-2002-1742 — Arbitrary Perl functions can be loaded by calling a non-existent function that activates a handler.

Related weaknesses

CWE-691 (childof)CWE-433 (canprecede)CWE-434 (peerof)

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →