...
gcc 3.4.6 for example will not allow the non compliant code above . however below are reports on how the missing parameter problem has caused vulnerabilities.
Examples of vulnerabilities with CVE entry number
CVE-2002-1236, CAN-2003-0422 - CGI crashes when called without any arguments
CVE-2002-1531, CAN-2002-1077 - crash in HTTP request without a Content-Length field
CAN-2002-1358 - empty elements/strings in protocol test suite affect many SSH2 servers/clients
CAN-2003-0477 - FTP server crashes in PORT command without an argument
CVE-2002-0107 - resultant infoleak in web server via GET requests without HTTP/1.0 version string
CAN-2002-0596 - GET reqeust with empty parameter leads to error message infoleak (path disclosure)
Risk Assesment
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DRAFT | 2 (medium) | 3 (likely) | 2 (medium) | P12 | L1 |