cIFrex Filters - (cIFrex.org)

	CIFREX.ORG
About cIFrex

How to use?

Download

Filters

Help Us

	Our projects
WLB2

CVEMAP

Research

About Us



	Donate

Filters for cIFrex

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-129: Improper Validation of Array Index
CWE-131: Incorrect Calculation of Buffer Size
CWE-189: Numeric Errors
CWE-399: Resource Management Errors
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Remote OS command execution in PHP

Submitted by: Kamil Uptas

CWE-78

This could allow attackers to execute unexpected, dangerous commands directly on the operating system. Example WLB-2012030217

Languages: PHP

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Classic Cross Site Scripting

Submitted by: Maksymilian Arciemowicz

CWE-79

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Example
Prestashop 1.4.0.6 Cross Site Scripting
CVE-2011-4544

V1: (.*echo.*\$_(?:POST|GET)\[(?:\'|\")(?<v1>\w+)(?:\'|\")\].*)
F1: htmlspecialchars.*<v1>
F2: $int$\$_(?:POST|GET)\[.<v1>.\]

Languages: PHP

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Classic SQL Injection

Submitted by: Maksymilian Arciemowicz

CWE-89

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

V1: \$(?<v1>\w+) \=.*\$_(?:GET|POST)\[(?<v2>.*)\]
T1: mysql_query\(.*\$<v1>
F1: addslashes.*\$<v1>

Languages: PHP

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Remote code execution in PHP

Submitted by: Kamil Uptas

CWE-95

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call eval(). Example WLB-2012020080

V1: \$(?<v1>\w+)(?: |)\=(?: |)\$_(?:POST|GET|REQUEST|COOKIE)
T1: eval.*<v1>

Languages: PHP

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

Remote/Local File Inclusion

Submitted by: Maksymilian Arciemowicz

CWE-98

In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a local or remote location from which the software will obtain the code to execute.

Check oscommerce admin:
osCommerce/OM/Core/Site/Admin/Application/modules_order_total/pages/edit.php

V1: (.*(?:\@| )(?:include|require|file)\(.*\$\_(?:POST|GET).*)

Languages: PHP

Local File Inclusion

Submitted by: Maksymilian Arciemowicz

CWE-98

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

Example
phpMyAdmin Local file inclusion 2.6.4-pl1
WLB-2005100029
CVE-2005-3299

V1: (?<v1>\w+) \= \$_(?:POST|GET)\[\'(?<v2>\w+)\'
T1: (?:include|require).*<v1>
F1: file_exist.*<v1>

Languages: PHP

Source Code Disclosure in PHP

Submitted by: Kamil Uptas

CWE-98

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in: file, file_get_contents, show_source or highlight_file.
Example CVE-2005-2330

Languages: PHP

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Buffer overflow with strcpy ans sprintf

Submitted by: Maksymilian Arciemowicz

CWE-120

The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

V1: (?<v1>\w+).=.(?:$.*$|).malloc
T1: (.*(?:sprintf|strcpy).*<v1>.*)
F1: <v1>.=.*malloc.*strlen
F2: (?:<v1>.*NULL|NULL.*<v1>)

Languages: C C++

CWE-129: Improper Validation of Array Index

Array overrun with char

Submitted by: Maksymilian Arciemowicz

CWE-129

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

V1: (?<v1>\w{2,})(?:| )\[(?:| )(?<v2>[\-\.\>a-z]{4,})(?:| )\]
T1: char.* <v1>(?: |)\[.*\](?:\;|,).*
T2: (?:<v2>(?: |)\=(?: |)strlen)
T3: char.* <v1>(?: |)\[(\d)\]
F1: if.*<v2>(?:| )\<(?:| )(\w+)
F2: char.* <v1>(?: |)\[([A-Z]+)\]

Languages: C C++

CWE-131: Incorrect Calculation of Buffer Size

Off-by one with wrong calculated buffer

Submitted by: Maksymilian Arciemowicz

CWE-131

The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

V1: (?<v1>\w+).\=.(?:|).*lloc$
V2: for.\(.*\;.*\<(?<v2>\w+).*
T1: <v1>.*\[<v2>\].*
F1: <v1>.\=.(?:\($|).*lloc\(.*\+.1

Languages: C C++

Off-by one with char table

Submitted by: Maksymilian Arciemowicz

CWE-131

If the incorrect calculation is used in the context of memory allocation, then the software may create a buffer that is smaller or larger than expected. If the allocated buffer is smaller than expected, this could lead to an out-of-bounds read or write (CWE-119), possibly causing a crash, allowing arbitrary code execution, or exposing sensitive data.

Example
coreutils-8.5/gnulib-tests/test-snprintf.c

V1: char.* (?<v1>\w+)\[(?<v2>\w+)\]
T1: for.*\<\=.<v2>
T2: <v1>\[.*\].\=.*

Languages: C C++

CWE-189: Numeric Errors

Integer overflow converting long to int

Submitted by: Maksymilian Arciemowicz

CWE-189

Vulnerability exists only in 64 bits architectures when server directly convert 'long' type to 'int'. On 64 bits architectures: long - 8 bytes, int - 4 bytes.

Example
Apache 1.3.41 mod_proxy Integer overflow (code execution)
WLB-2010010206
CVE-2010-0010

V1: (long.*(?: |\, )(?<v1>\w{2,}))
T1: .*$int$<v1>.*

Languages: C C++

Integer overflow multipling 10

Submitted by: Maksymilian Arciemowicz

CWE-189

The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

V1: int.* (?<v1>\w{2,})(?:\;|\,| \=)
T1: (?:(<v1>.\*.10)|(10.\*.<v1>)|(<v1>.\*\=.10))
F1: if.*(?:(<v1>.*\<.*)|(<v1>.*\>.*)|(.*(?:\<|\>)<v1))

Languages: C C++

CWE-399: Resource Management Errors

Denial of Service with recursion

Submitted by: Maksymilian Arciemowicz

CWE-399

If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service that consumes all available resources.

Example:
Apache remote denial of service
WLB-2011050133
CVE-2011-0419

vsftp remote denial of service
WLB-2011030139
CVE-2011-0762

V1: (?:int |char |^)(?<v1>\w+)\(.*
T1: (?:if|while).*<v1>\(
T2: .*\'\*\'.*

Languages: C C++

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

URL Redirection to Untrusted Site in PHP

Submitted by: Kamil Uptas

CWE-601

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. Example WLB-2011060015

V1: \$(?<v1>\w+)(?: |)\=(?: |)\$_(?:POST|GET|REQUEST|COOKIE)
T1: header.*Location.*<v1>

Languages: PHP