1. Home
  2. CWE Database
  3. CWE-181
Variant · Low-Medium

CWE-181: Incorrect Behavior Order: Validate Before Filter

The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.

CWE-181 · Variant Level ·2 CVEs ·1 Mitigations

Description

The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.

This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.

Potential Impact

Access Control

Bypass Protection Mechanism

Demonstrative Examples

This script creates a subdirectory within a user directory and sets the user as the owner.
Bad
function createDir($userName,$dirName){$userDir = '/users/'. $userName;if(strpos($dirName,'..') !== false){echo 'Directory name contains invalid sequence';return;}
                        //filter out '~' because other scripts identify user directories by this prefix
                        $dirName = str_replace('~','',$dirName);$newDir = $userDir . $dirName;mkdir($newDir, 0700);chown($newDir,$userName);}
While the script attempts to screen for '..' sequences, an attacker can submit a directory path including ".~.", which will then become ".." after the filtering step. This allows a Path Traversal (CWE-21) attack to occur.

Mitigations & Prevention

ImplementationArchitecture and Design

Inputs should be decoded and canonicalized to the application's current internal representation before being filtered.

Real-World CVE Examples

CVE IDDescription
CVE-2002-0934Directory traversal vulnerability allows remote attackers to read or modify arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
CVE-2003-0282Directory traversal vulnerability allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.

CWE-179: Incorrect Behavior Order: Early Validation

The product validates input before applying protection mechanisms that modify the input, which could allow an attacker t...

Taxonomy Mappings

  • PLOVER: — Validate-Before-Filter
  • OWASP Top Ten 2004: A1 — Unvalidated Input

Frequently Asked Questions

What is CWE-181?

CWE-181 (Incorrect Behavior Order: Validate Before Filter) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.

How can CWE-181 be exploited?

Attackers can exploit CWE-181 (Incorrect Behavior Order: Validate Before Filter) to bypass protection mechanism. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-181?

Key mitigations include: Inputs should be decoded and canonicalized to the application's current internal representation before being filtered.

What is the severity of CWE-181?

CWE-181 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 2 real-world CVEs.