ByteOS Network

CWE-436:Interpretation Conflict

Weakness ID:436

Version:v4.17

Weakness Name:Interpretation Conflict

Vulnerability Mapping:Allowed-with-Review

Abstraction:Class

Structure:Simple

Status:Incomplete

Details Content History Observed CVE Examples Reports

▼Description

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

▼Extended Description

This is generally found in proxies, firewalls, anti-virus software, and other intermediary devices that monitor, allow, deny, or modify traffic based on how the client or server is expected to behave.

▼Relationships

Relevant to the view"Research Concepts - (1000)"

Nature	Mapping	Type	ID	Name
ChildOf	Discouraged	P	435	Improper Interaction Between Multiple Correctly-Behaving Entities
ParentOf	Allowed	V	113	Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
ParentOf	Allowed	B	115	Misinterpretation of Input
ParentOf	Allowed	B	351	Insufficient Type Distinction
ParentOf	Allowed	B	434	Unrestricted Upload of File with Dangerous Type
ParentOf	Allowed	B	437	Incomplete Model of Endpoint Features
ParentOf	Allowed	B	444	Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
ParentOf	Allowed	V	626	Null Byte Interaction Error (Poison Null Byte)
ParentOf	Allowed	V	650	Trusting HTTP Permission Methods on the Server Side
ParentOf	Allowed	V	86	Improper Neutralization of Invalid Characters in Identifiers in Web Pages

Nature: ChildOf

Mapping: Discouraged

Type: Pillar

ID: 435

Name: Improper Interaction Between Multiple Correctly-Behaving Entities

Nature: ParentOf

Mapping: Allowed

Type: Variant

ID: 113

Name: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 115

Name: Misinterpretation of Input

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 351

Name: Insufficient Type Distinction

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 434

Name: Unrestricted Upload of File with Dangerous Type

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 437

Name: Incomplete Model of Endpoint Features

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 444

Name: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Nature: ParentOf

Mapping: Allowed

Type: Variant

ID: 626

Name: Null Byte Interaction Error (Poison Null Byte)

Nature: ParentOf

Mapping: Allowed

Type: Variant

ID: 650

Name: Trusting HTTP Permission Methods on the Server Side

Nature: ParentOf

Mapping: Allowed

Type: Variant

ID: 86

Name: Improper Neutralization of Invalid Characters in Identifiers in Web Pages

▼Memberships

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	957	SFP Secondary Cluster: Protocol Error
MemberOf	Prohibited	V	1003	Weaknesses for Simplified Mapping of Published Vulnerabilities
MemberOf	Prohibited	C	1398	Comprehensive Categorization: Component Interaction

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 957

Name: SFP Secondary Cluster: Protocol Error

Nature: MemberOf

Mapping: Prohibited

Type:View

ID: 1003

Name: Weaknesses for Simplified Mapping of Published Vulnerabilities

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1398

Name: Comprehensive Categorization: Component Interaction

▼Tags

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	BS	BOSS-294	Not Language-Specific Weaknesses
MemberOf	Prohibited	BS	BOSS-315	Unexpected State (impact)
MemberOf	Prohibited	BS	BOSS-326	Varies by Context (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-294

Name: Not Language-Specific Weaknesses

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-315

Name: Unexpected State (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-326

Name: Varies by Context (impact)

▼Relevant To View

Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	957	SFP Secondary Cluster: Protocol Error

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 957

Name: SFP Secondary Cluster: Protocol Error

▼Common Consequences

Scope	Likelihood	Impact	Note
IntegrityOther	N/A	Unexpected StateVaries by Context	N/A

Scope: Integrity, Other

Likelihood: N/A

Impact: Unexpected State, Varies by Context

Note:

N/A

▼Modes Of Introduction

Phase: Architecture and Design

Note:

N/A

Phase: Implementation

Note:

N/A

▼Applicable Platforms

Languages

Class: Not Language-Specific(Undetermined Prevalence)

▼Demonstrative Examples

Example 1

The paper "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" [REF-428] shows that OSes varied widely in how they manage unusual packets, which made it difficult or impossible for intrusion detection systems to properly detect certain attacker manipulations that took advantage of these OS differences.

Example 2

Null characters have different interpretations in Perl and C, which have security consequences when Perl invokes C functions. Similar problems have been reported in ASP [REF-429] and PHP.

▼Observed Examples

Reference	Description
CVE-2005-1215	Bypass filters or poison web cache using requests with multiple Content-Length headers, a non-standard behavior.
CVE-2002-0485	Anti-virus product allows bypass via Content-Type and Content-Disposition headers that are mixed case, which are still processed by some clients.
CVE-2002-1978	FTP clients sending a command with "PASV" in the argument can cause firewalls to misinterpret the server's error as a valid response, allowing filter bypass.
CVE-2002-1979	FTP clients sending a command with "PASV" in the argument can cause firewalls to misinterpret the server's error as a valid response, allowing filter bypass.
CVE-2002-0637	Virus product bypass with spaces between MIME header fields and the ":" separator, a non-standard message that is accepted by some clients.
CVE-2002-1777	AV product detection bypass using inconsistency manipulation (file extension in MIME Content-Type vs. Content-Disposition field).
CVE-2005-3310	CMS system allows uploads of files with GIF/JPG extensions, but if they contain HTML, Internet Explorer renders them as HTML instead of images.
CVE-2005-4260	Interpretation conflict allows XSS via invalid "<" when a ">" is expected, which is treated as ">" by many web browsers.
CVE-2005-4080	Interpretation conflict (non-standard behavior) enables XSS because browser ignores invalid characters in the middle of tags.

Reference: CVE-2005-1215

Description:

Bypass filters or poison web cache using requests with multiple Content-Length headers, a non-standard behavior.

Reference: CVE-2002-0485

Description:

Anti-virus product allows bypass via Content-Type and Content-Disposition headers that are mixed case, which are still processed by some clients.

Reference: CVE-2002-1978

Description:

FTP clients sending a command with "PASV" in the argument can cause firewalls to misinterpret the server's error as a valid response, allowing filter bypass.

Reference: CVE-2002-1979

Description:

FTP clients sending a command with "PASV" in the argument can cause firewalls to misinterpret the server's error as a valid response, allowing filter bypass.

Reference: CVE-2002-0637

Description:

Virus product bypass with spaces between MIME header fields and the ":" separator, a non-standard message that is accepted by some clients.

Reference: CVE-2002-1777

Description:

AV product detection bypass using inconsistency manipulation (file extension in MIME Content-Type vs. Content-Disposition field).

Reference: CVE-2005-3310

Description:

CMS system allows uploads of files with GIF/JPG extensions, but if they contain HTML, Internet Explorer renders them as HTML instead of images.

Reference: CVE-2005-4260

Description:

Interpretation conflict allows XSS via invalid "<" when a ">" is expected, which is treated as ">" by many web browsers.

Reference: CVE-2005-4080

Description:

Interpretation conflict (non-standard behavior) enables XSS because browser ignores invalid characters in the middle of tags.

▼Vulnerability Mapping Notes

Usage:Allowed-with-Review

Reason:Abstraction

Rationale:

This CWE entry is a Class and might have Base-level children that would be more appropriate

Comments:

Examine children of this entry to see if there is a better fit

▼Taxonomy Mappings

Taxonomy Name	Entry ID	Fit	Entry Name
PLOVER	N/A	N/A	Multiple Interpretation Error (MIE)
WASC	27	N/A	HTTP Response Smuggling

Taxonomy Name: PLOVER

Entry ID: N/A

Fit: N/A

Entry Name: Multiple Interpretation Error (MIE)

Taxonomy Name: WASC

Entry ID: 27

Fit: N/A

Entry Name: HTTP Response Smuggling

▼Related Attack Patterns

ID	Name
CAPEC-105	HTTP Request Splitting
CAPEC-273	HTTP Response Smuggling
CAPEC-34	HTTP Response Splitting

ID: CAPEC-105

Name: HTTP Request Splitting

ID: CAPEC-273

Name: HTTP Response Smuggling

ID: CAPEC-34

Name: HTTP Response Splitting

▼References

Reference ID: REF-427

Title: On Interpretation Conflict Vulnerabilities

Author: Steve Christey

Publication:

Bugtraq

URL:https://seclists.org/bugtraq/2005/Nov/30

URL Date:2023-04-07

Day:03

Month:11

Year:2005

Reference ID: REF-428

Title: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection

Author: Thomas H. Ptacek, Timothy N. Newsham

Publication:

URL:https://insecure.org/stf/secnet_ids/secnet_ids.pdf

URL Date:2023-04-07

Day:N/A

Month:01

Year:1998

Reference ID: REF-429

Title: 0x00 vs ASP file upload scripts

Author: Brett Moore

Publication:

URL:http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf

Day:13

Month:07

Year:2004

Reference ID: REF-430

Title: Poison NULL byte

Author: Rain Forest Puppy

Publication:

Phrack

Day:N/A

Month:N/A

Year:N/A

Reference ID: REF-431

Title: Re: Corsaire Security Advisory - Multiple vendor MIME RFC2047 encoding

Author: David F. Skoll

Publication:

Bugtraq

URL:http://marc.info/?l=bugtraq&m=109525864717484&w=2

Day:15

Month:09

Year:2004