CWE-841: Improper Enforcement of Behavioral Workflow
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.
常见后果
影响范围: Other
技术影响: Alter Execution Logic
说明: An attacker could cause the product to skip critical steps or perform them in the wrong order, bypassing its intended business logic. This can sometimes have security implications.
观察示例
参考: CVE-2011-0348
Bypass of access/billing restrictions by sending traffic to an unrestricted destination before sending to a restricted destination.
参考: CVE-2007-3012
Attacker can access portions of a restricted page by canceling out of a dialog.
参考: CVE-2009-5056
Ticket-tracking system does not enforce a permission setting.
参考: CVE-2004-2164
Shopping cart does not close a database connection when user restores a previous order, leading to connection exhaustion.
参考: CVE-2003-0777
Chain: product does not properly handle dropped connections, leading to missing NULL terminator (CWE-170) and segmentation fault.
参考: CVE-2005-3327
Chain: Authentication bypass by skipping the first startup step as required by the protocol.
参考: CVE-2004-0829
Chain: File server crashes when sent a "find next" request without an initial "find first."
参考: CVE-2010-2620
FTP server allows remote attackers to bypass authentication by sending (1) LIST, (2) RETR, (3) STOR, or other commands without performing the required login steps first.
参考: CVE-2005-3296
FTP server allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| WASC | 40 | Insufficient Process Validation | - |