CWE-184: Incomplete List of Disallowed Inputs
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
常见后果
影响范围: Access Control
技术影响: Bypass Protection Mechanism
说明: Attackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism.
潜在缓解措施
阶段: Implementation
策略: Input Validation
描述: Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.
检测方法
方法: Black Box
Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed.
观察示例
参考: CVE-2024-4315
Chain: API for text generation using Large Language Models (LLMs) does not include the "\" Windows folder separator in its denylist (CWE-184) when attempting to prevent Local File Inclusion via path traversal (CWE-22), allowing deletion of arbitrary files on Windows systems.
参考: CVE-2008-2309
product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning
参考: CVE-2005-2782
PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp".
参考: CVE-2004-0542
Programming language does not filter certain shell metacharacters in Windows environment.
参考: CVE-2004-0595
XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse.
参考: CVE-2005-3287
Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited.
参考: CVE-2004-2351
Resultant XSS when only <script> and <style> are checked.
参考: CVE-2005-2959
Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error.
参考: CVE-2005-1824
SQL injection protection scheme does not quote the "\" special character.
参考: CVE-2005-2184
Detection of risky filename extensions prevents users from automatically executing .EXE files, but .LNK is accepted, allowing resultant Windows symbolic link.
参考: CVE-2007-1343
Product uses list of protected variables, but accidentally omits one dangerous variable, allowing external modification
参考: CVE-2007-5727
Chain: product only removes SCRIPT tags (CWE-184), enabling XSS (CWE-79)
参考: CVE-2006-4308
Chain: product only checks for use of "javascript:" tag (CWE-184), allowing XSS (CWE-79) using other tags
参考: CVE-2007-3572
Chain: OS command injection (CWE-78) enabled by using an unexpected character that is not explicitly disallowed (CWE-184)
参考: CVE-2002-0661
"\" not in list of disallowed values for web server, allowing path traversal attacks when the server is run on Windows and other OSes.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | Developers often try to protect their products against malicious input by checking against lists of known bad inputs, such as special characters that can invoke new commands. However, such lists often only address the most well-known bad inputs. As a quick fix, developers might rely on these lists instead of addressing the root cause of the issue. See [REF-141]. |
| Architecture and Design | The design might rely solely on detection of malicious inputs as a protection mechanism. |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Incomplete Blacklist | - |
关键信息
CWE ID: CWE-184
抽象级别: Base
结构: Simple
状态: Draft