logo

CWE-1389 - Incorrect Parsing of Numbers with Different Radices

CWE-1389

  • Abstraction:
  • Base
  • Structure:
  • Simple
  • Status:
  • Incomplete
Weakness Name

Incorrect Parsing of Numbers with Different Radices

Description

The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix).

Frequently, a numeric input that begins with "0" is treated as octal, or "0x" causes it to be treated as hexadecimal, e.g. by the inet_addr() function. For example, "023" (octal) is 35 decimal, or "0x31" is 49 decimal. Other bases may be used as well. If the developer assumes decimal-only inputs, the code could produce incorrect numbers when the inputs are parsed using a different base. This can result in unexpected and/or dangerous behavior. For example, a "0127.0.0.1" IP address is parsed as octal due to the leading "0", whose numeric value would be the same as 87.0.0.1 (decimal), where the developer likely expected to use 127.0.0.1. The consequences vary depending on the surrounding code in which this weakness occurs, but they can include bypassing network-based access control using unexpected IP addresses or netmasks, or causing apparently-symbolic identifiers to be processed as if they are numbers. In web applications, this can enable bypassing of SSRF restrictions.

Common Consequences

Scope: Confidentiality

Impact: Read Application Data

Notes: An attacker may use an unexpected numerical base to access private application resources.

Scope: Integrity

Impact: Bypass Protection Mechanism, Alter Execution Logic

Notes: An attacker may use an unexpected numerical base to bypass or manipulate access control mechanisms.

Related Weaknesses
  • Release Date:
  • 2022-10-13
  • Latest Modification Date:
  • 2023-06-29

Free security scan for your website