{"@ID": "67", "@Name": "Improper Handling of Windows Device Names", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.", "Extended_Description": "Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A product that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.", "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "66", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Resultant"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Operating_System": {"@Class": "Windows", "@Prevalence": "Undetermined"}}, "Background_Details": {"Background_Detail": "Historically, there was a bug in the Windows operating system that caused a blue screen of death. Even after that issue was fixed DOS device names continue to be a factor."}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Implementation"}, {"Phase": "Operation"}]}, "Likelihood_Of_Exploit": "High", "Common_Consequences": {"Consequence": {"Scope": ["Availability", "Confidentiality", "Other"], "Impact": ["DoS: Crash, Exit, or Restart", "Read Application Data", "Other"]}}, "Potential_Mitigations": {"Mitigation": {"Phase": "Implementation", "Description": "Be familiar with the device names in the operating system where your system is deployed. Check input for these device names."}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2002-0106", "Description": "Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-0106"}, {"Reference": "CVE-2002-0200", "Description": "Server allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-0200"}, {"Reference": "CVE-2002-1052", "Description": "Product allows remote attackers to use MS-DOS device names in HTTP requests to cause a denial of service or obtain the physical path of the server.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1052"}, {"Reference": "CVE-2001-0493", "Description": "Server allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name.", "Link": "https://www.cve.org/CVERecord?id=CVE-2001-0493"}, {"Reference": "CVE-2001-0558", "Description": "Server allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name.", "Link": "https://www.cve.org/CVERecord?id=CVE-2001-0558"}, {"Reference": "CVE-2000-0168", "Description": "Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the \"DOS Device in Path Name\" vulnerability.", "Link": "https://www.cve.org/CVERecord?id=CVE-2000-0168"}, {"Reference": "CVE-2001-0492", "Description": "Server allows remote attackers to determine the physical path of the server via a URL containing MS-DOS device names.", "Link": "https://www.cve.org/CVERecord?id=CVE-2001-0492"}, {"Reference": "CVE-2004-0552", "Description": "Product does not properly handle files whose names contain reserved MS-DOS device names, which can allow malicious code to bypass detection when it is installed, copied, or executed.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-0552"}, {"Reference": "CVE-2005-2195", "Description": "Server allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-2195"}]}, "Functional_Areas": {"Functional_Area": "File Processing"}, "Affected_Resources": {"Affected_Resource": "File or Directory"}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "Windows MS-DOS device names"}, {"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "FIO32-C", "Entry_Name": "Do not perform operations on devices that are only appropriate for files", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "The CERT Oracle Secure Coding Standard for Java (2011)", "Entry_ID": "FIO00-J", "Entry_Name": "Do not operate on files in shared directories"}, {"@Taxonomy_Name": "Software Fault Patterns", "Entry_ID": "SFP16", "Entry_Name": "Path Traversal"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-7"}, {"@External_Reference_ID": "REF-62", "@Section": "Chapter 11, \"Device Files\", Page 666"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-10-14", "Modification_Version": "1.0.1", "Modification_ReleaseDate": "2008-10-14", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-11-24", "Modification_Version": "1.1", "Modification_ReleaseDate": "2008-11-25", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-03-10", "Modification_Version": "1.3", "Modification_ReleaseDate": "2009-03-10", "Modification_Comment": "updated Description, Name"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-10-29", "Modification_Version": "1.6", "Modification_ReleaseDate": "2009-10-29", "Modification_Comment": "updated Background_Details, Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-09-27", "Modification_Version": "1.10", "Modification_ReleaseDate": "2010-09-27", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-09-13", "Modification_Version": "2.1", "Modification_ReleaseDate": "2011-09-13", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Observed_Examples, References, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Affected_Resources, Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2018-03-27", "Modification_Version": "3.1", "Modification_ReleaseDate": "2018-03-27", "Modification_Comment": "updated References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-09-09", "Modification_Version": "4.18", "Modification_ReleaseDate": "2025-09-09", "Modification_Comment": "updated Functional_Areas"}], "Previous_Entry_Name": [{"@Date": "2008-04-11", "#text": "Windows MS-DOS Device Names"}, {"@Date": "2009-03-10", "#text": "Failure to Handle Windows Device Names"}]}}
