The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.
View on MITREOmitting validation for even a single input field may give attackers the leeway they need to compromise the product. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
If unused fields are not validated, shared business logic in an action may allow attackers to bypass the validation checks that are performed for other uses of the form.
Validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.
No detection method information available for this CWE.
In the following example the Java class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.
The validator XML file, validator.xml, provides the validation for the form fields of the RegistrationForm.
In the following example the Java class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for an online business site. The user will enter registration data and, through the Struts framework, the RegistrationForm bean will maintain the user data in the form fields using the private member variables. The RegistrationForm class uses the Struts validation capability by extending the ValidatorForm class and including the validation for the form fields within the validator XML file, validator.xml.
The validator XML file, validator.xml, provides the validation for the form fields of the RegistrationForm.
No relationship information available for this CWE.
CWE-105: Struts: Form Field Without Validator is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation. Omitting validation for even a single input field may give attackers the leeway they need to compromise the product. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
If exploited, CWE-105 (Struts: Form Field Without Validator) it can compromise Integrity, leading to outcomes such as Unexpected State and Bypass Protection Mechanism.
Recommended mitigations for CWE-105 include: Validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.
CWE-105 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-105 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.