1. Home
  2. CWE Database
  3. CWE-102
Variant · Low-Medium

CWE-102: Struts: Duplicate Validation Forms

The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.

CWE-102 · Variant Level ·1 Mitigations

Description

The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.

If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This decision might not correspond to the programmer's expectations, possibly leading to resultant weaknesses. Moreover, it indicates that the validation logic is not up-to-date, and can indicate that other, more subtle validation errors are present.

Potential Impact

Integrity

Unexpected State

Demonstrative Examples

These two Struts validation forms have the same name.
Bad
<form-validation>
				   
					 <formset>
					 
					   <form name="ProjectForm"> ... </form>
					   <form name="ProjectForm"> ... </form>
					 
					 </formset>
				   
				   </form-validation>
It is not certain which form will be used by Struts. It is critically important that validation logic be maintained and kept in sync with the rest of the product.

Mitigations & Prevention

Implementation

The DTD or schema validation will not catch the duplicate occurrence of the same form name. To find the issue in the implementation, manual checks or automated static analysis could be applied to the xml configuration files.

CWE-694: Use of Multiple Resources with Duplicate Identifier

The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are requ...

CWE-1173: Improper Use of Validation Framework

The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or ...

CWE-20: Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the ...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Struts: Duplicate Validation Forms
  • Software Fault Patterns: SFP24 — Tainted input to command

Frequently Asked Questions

What is CWE-102?

CWE-102 (Struts: Duplicate Validation Forms) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.

How can CWE-102 be exploited?

Attackers can exploit CWE-102 (Struts: Duplicate Validation Forms) to unexpected state. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-102?

Key mitigations include: The DTD or schema validation will not catch the duplicate occurrence of the same form name. To find the issue in the implementation, manual checks or automated static analysis could be applied to the

What is the severity of CWE-102?

CWE-102 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.