Difference between revisions of "Improper cleanup on thrown exception"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
{{Template:SecureSoftware}}
 
{{Template:SecureSoftware}}
 +
{{Template:Vulnerability}}
  
==Overview==
+
[[Category:FIXME|This is the text from the old template. This needs to be rewritten using the new template.]]
  
Causing a change in flow, due to an exception, can often leave the code in a bad state.
+
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
==Consequences ==
+
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
  
* Implementation: The code could be left in a bad state.
+
[[ASDR Table of Contents]]
 +
__TOC__
  
==Exposure period ==
 
  
* Implementation: Many logic errors can lead to this condition.
+
==Description==
  
==Platform ==
+
Causing a change in flow, due to an exception, can often leave the code in a bad state.
  
* Languages: Java, C, C# or any language which can throw an exception.
+
'''Consequences'''
  
* Operating platforms: Any
+
* Implementation: The code could be left in a bad state.
  
==Required resources ==
+
'''Exposure period'''
 +
 
 +
* Implementation: Many logic errors can lead to this condition.
 +
 
 +
'''Platform'''
 +
 
 +
* Languages: Java, C, C# or any language which can throw an exception.
 +
* Operating platforms: Any
 +
 
 +
'''Required resources'''
  
 
Any
 
Any
  
==Severity ==
+
'''Severity'''
  
 
Medium
 
Medium
  
==Likelihood   of exploit ==
+
'''Likelihood of exploit'''
  
 
Medium
 
Medium
  
==Avoidance and mitigation ==
+
Often, when functions or loops become complicated, some level of cleanup in the beginning to the end is needed. Often, since exceptions can disturb the flow of the code, one can leave a code block in a bad state.
  
* Implementation: If one breaks from a loop or function by throwing an exception, make sure that cleanup happens or that you should exit the program. Use throwing exceptions sparsely.
 
  
==Discussion ==
 
  
Often, when functions or loops become complicated, some level of cleanup in the beginning to the end is needed. Often, since exceptions can disturb the flow of the code, one can leave a code block in a bad state.
+
==Risk Factors==
 +
 
 +
TBD
  
==Examples ==
+
==Examples==
  
 
In C++/Java:
 
In C++/Java:
Line 70: Line 80:
 
In this case, you may leave a thread locked accidentally.
 
In this case, you may leave a thread locked accidentally.
  
==Related problems ==
 
  
Not available.
+
==Related [[Attacks]]==
 +
 
 +
* [[Attack 1]]
 +
* [[Attack 2]]
 +
 
 +
 
 +
==Related [[Vulnerabilities]]==
 +
 
 +
* [[Vulnerability 1]]
 +
* [[Vulnerabiltiy 2]]
 +
 
 +
 
 +
==Related [[Controls]]==
 +
 
 +
* Implementation: If one breaks from a loop or function by throwing an exception, make sure that cleanup happens or that you should exit the program. Use throwing exceptions sparsely.
 +
 
 +
==Related [[Technical Impacts]]==
 +
 
 +
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
 +
 
 +
 
 +
==References==
 +
 
 +
TBD
 +
 
 +
 
 +
[[Category:FIXME|add links
 +
 
 +
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>
 +
 
 +
Availability Vulnerability
 +
 
 +
Authorization Vulnerability
 +
 
 +
Authentication Vulnerability
 +
 
 +
Concurrency Vulnerability
 +
 
 +
Configuration Vulnerability
 +
 
 +
Cryptographic Vulnerability
 +
 
 +
Encoding Vulnerability
 +
 
 +
Error Handling Vulnerability
 +
 
 +
Input Validation Vulnerability
 +
 
 +
Logging and Auditing Vulnerability
 +
 
 +
Session Management Vulnerability]]
 +
 
 +
__NOTOC__
  
  
 +
[[Category:OWASP ASDR Project]]
 
[[Category:Vulnerability]]
 
[[Category:Vulnerability]]
 
[[Category:Error Handling Vulnerability]]
 
[[Category:Error Handling Vulnerability]]
 
[[Category:General Logic Error Vulnerability]]
 
[[Category:General Logic Error Vulnerability]]
 
[[Category:OWASP_CLASP_Project]]
 
[[Category:OWASP_CLASP_Project]]

Revision as of 07:43, 25 September 2008

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (mm/dd/yy): 09/25/2008

Vulnerabilities Table of Contents

ASDR Table of Contents


Description

Causing a change in flow, due to an exception, can often leave the code in a bad state.

Consequences

  • Implementation: The code could be left in a bad state.

Exposure period

  • Implementation: Many logic errors can lead to this condition.

Platform

  • Languages: Java, C, C# or any language which can throw an exception.
  • Operating platforms: Any

Required resources

Any

Severity

Medium

Likelihood of exploit

Medium

Often, when functions or loops become complicated, some level of cleanup in the beginning to the end is needed. Often, since exceptions can disturb the flow of the code, one can leave a code block in a bad state.


Risk Factors

TBD

Examples

In C++/Java:

public class foo {
  public static final void main( String args[] ) {
        boolean returnValue;
        returnValue=doStuff();
  }
  public static final boolean doStuff( ) {
        boolean threadLock;
        boolean truthvalue=true;

        try {
                while(//check some condition){
                        threadLock=true;
                        //do some stuff to truthvalue
                        threadLock=false;
                }
        } catch (Exception e){
                System.err.println("You did something bad");
                        if (something) return truthvalue;
        }
        return  truthvalue;
  }
}

In this case, you may leave a thread locked accidentally.


Related Attacks


Related Vulnerabilities


Related Controls

  • Implementation: If one breaks from a loop or function by throwing an exception, make sure that cleanup happens or that you should exit the program. Use throwing exceptions sparsely.

Related Technical Impacts


References

TBD