CWE-178: Improper Handling of Case Sensitivity
The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
View on MITREExtended Description
Improperly handled case sensitive data can lead to several possible consequences, including: case-insensitive passwords reducing the size of the key space, making brute force attacks easier bypassing filters or access controls using alternate names multiple interpretation errors using alternate names.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
No mitigation information available for this CWE.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
In the following example, an XSS neutralization method intends to replace script tags in user-supplied input with a safe equivalent:
The code only works when the "script" tag is in all lower-case, forming an incomplete denylist (CWE-184). Equivalent tags such as "SCRIPT" or "ScRiPt" will not be neutralized by this method, allowing an XSS attack.
Observed CVE Examples (18)
Application server allows attackers to bypass execution of a jsp page and read the source code using an upper case JSP extension in the request.
View DetailsThe server is case sensitive, so filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype "text".
View DetailsThe server is case sensitive, so filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype "text".
View DetailsA URL that contains some characters whose case is not matched by the server's filters may bypass access restrictions because the case-insensitive file system will then handle the request after it bypasses the case sensitive filter.
View DetailsServer allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1) upper case letters or (2) 8.3 file names.
View DetailsTask Manager does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan horses that cannot be stopped.
View Detailschain: Code was ported from a case-sensitive Unix platform to a case-insensitive Windows platform where filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype "text".
View DetailsDirectories may be listed because lower case web requests are not properly handled by the server.
View DetailsFile extension check in forum software only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters.
View DetailsWeb server restricts access to files in a case sensitive manner, but the filesystem accesses files in a case insensitive manner, which allows remote attackers to read privileged files using alternate capitalization.
View DetailsHTTP server allows bypass of access restrictions using URIs with mixed case.
View DetailsBypass malicious script detection by using tokens that aren't case sensitive.
View DetailsMixed case problem allows "admin" to have "Admin" rights (alternate name property).
View DetailsChain: uppercase file extensions causes web server to return script source code instead of executing the script.
View DetailsChain: A microservice integration and management platform compares the hostname in the HTTP Host header in a case-sensitive way (CWE-178, CWE-1289), allowing bypass of the authorization policy (CWE-863) using a hostname with mixed case or other variations.
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-178: Improper Handling of Case Sensitivity?+
CWE-178: Improper Handling of Case Sensitivity is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. Improperly handled case sensitive data can lead to several possible consequences, including: case-insensitive passwords reducing the size of the key space, making brute force attacks easier bypassing filters or access controls using alternate names multiple interpretation errors using alternate names.
What are the security consequences of Improper Handling of Case Sensitivity?+
If exploited, CWE-178 (Improper Handling of Case Sensitivity) it can compromise Access Control, leading to outcomes such as Bypass Protection Mechanism.
Which programming languages are affected by Improper Handling of Case Sensitivity?+
CWE-178 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Improper Handling of Case Sensitivity?+
MITRE documents real CVEs mapped to CWE-178, including CVE-2000-0499, CVE-2000-0497, CVE-2000-0498, CVE-2001-0766 and CVE-2001-0795. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-178 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.