CWE-234: Failure to Handle Missing Parameter
If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
There is the potential for arbitrary code execution with privileges of the vulnerable program if function parameter list is exhausted.
Scope
Impact
Potentially a program could fail if it needs more arguments then are available.
Mitigation Strategies
Phase
Description
This issue can be simply combated with the use of proper build process.
Phase
Description
Forward declare all functions. This is the recommended solution. Properly forward declaration of all used functions will result in a compiler error if too few arguments are sent to a function.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
The following example demonstrates the weakness.
This can be exploited to disclose information with no work whatsoever. In fact, each time this function is run, it will print out the next 4 bytes on the stack after the two numbers sent to it.
The following example demonstrates the weakness.
This can be exploited to disclose information with no work whatsoever. In fact, each time this function is run, it will print out the next 4 bytes on the stack after the two numbers sent to it.
Observed CVE Examples (15)
Server earlier allows remote attackers to cause a denial of service (crash) via an HTTP request with a sequence of "%" characters and a missing Host field.
View DetailsChat client allows remote malicious IRC servers to cause a denial of service (crash) via a PART message with (1) a missing channel or (2) a channel that the user is not in.
View DetailsProxy allows remote attackers to cause a denial of service (crash) via an HTTP request to helpout.exe with a missing HTTP version numbers.
View DetailsWeb server allows disclosure of CGI source code via an HTTP request without the version number.
View DetailsApplication server allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification.
View DetailsChat software allows remote attackers to cause a denial of service via malformed GIF89a headers that do not contain a GCT (Global Color Table) or an LCT (Local Color Table) after an Image Descriptor.
View DetailsServer allows remote attackers to cause a denial of service (crash) via an HTTP GET request without a URI.
View DetailsEmpty elements/strings in protocol test suite affect many SSH2 servers/clients.
View DetailsResultant infoleak in web server via GET requests without HTTP/1.0 version string.
View DetailsGET request with empty parameter leads to error message infoleak (path disclosure).
View DetailsCWE Relationships
Frequently Asked Questions
What is CWE-234: Failure to Handle Missing Parameter?+
CWE-234: Failure to Handle Missing Parameter is a Common Weakness Enumeration (CWE) entry maintained by MITRE. If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.
What are the security consequences of Failure to Handle Missing Parameter?+
If exploited, CWE-234 (Failure to Handle Missing Parameter) it can compromise Integrity, Confidentiality, Availability and Access Control, leading to outcomes such as Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity and DoS: Crash, Exit, or Restart.
How do you prevent or mitigate Failure to Handle Missing Parameter?+
Recommended mitigations for CWE-234 include: This issue can be simply combated with the use of proper build process. Forward declare all functions. This is the recommended solution. Properly forward declaration of all used functions will result in a compiler error if too few arguments are sent to a function.
Which programming languages are affected by Failure to Handle Missing Parameter?+
CWE-234 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Failure to Handle Missing Parameter?+
MITRE documents real CVEs mapped to CWE-234, including CVE-2004-0276, CVE-2002-1488, CVE-2002-1169, CVE-2000-0521 and CVE-2001-0590. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-234 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.