Description
The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.
For example, an attacker might succeed in authentication by providing a small password that matches the associated portion of the larger, correct password.
Potential Impact
Integrity, Access Control
Alter Execution Logic, Bypass Protection Mechanism
Demonstrative Examples
/* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */
char *username = "admin";char *pass = "password";
int AuthenticateUser(char *inUser, char *inPass) {if (strncmp(username, inUser, strlen(inUser))) {logEvent("Auth failure of username using strlen of inUser");return(AUTH_FAIL);}if (! strncmp(pass, inPass, strlen(inPass))) {logEvent("Auth success of password using strlen of inUser");return(AUTH_SUCCESS);}else {logEvent("Auth fail of password using sizeof");return(AUTH_FAIL);}}
int main (int argc, char **argv) {
int authResult;
if (argc < 3) {ExitError("Usage: Provide a username and password");}authResult = AuthenticateUser(argv[1], argv[2]);if (authResult == AUTH_SUCCESS) {DoAuthenticatedTask(argv[1]);}else {ExitError("Authentication failed");}
}ppapaspassMitigations & Prevention
Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2014-6394 | Product does not prevent access to restricted directories due to partial string comparison with a public directory |
| CVE-2004-1012 | Argument parser of an IMAP server treats a partial command "body[p" as if it is "body.peek", leading to index error and out-of-bounds corruption. |
| CVE-2004-0765 | Web browser only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN), which allows remote attackers to spoof trusted certifica |
| CVE-2002-1374 | One-character password by attacker checks only against first character of real password. |
| CVE-2000-0979 | One-character password by attacker checks only against first character of real password. |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Partial Comparison
Frequently Asked Questions
What is CWE-187?
CWE-187 (Partial String Comparison) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.
How can CWE-187 be exploited?
Attackers can exploit CWE-187 (Partial String Comparison) to alter execution logic, bypass protection mechanism. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-187?
Key mitigations include: Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.
What is the severity of CWE-187?
CWE-187 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 5 real-world CVEs.