This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Use of Obsolete Methods"

From OWASP
Jump to: navigation, search
(Description)
Line 10: Line 10:
 
As programming languages evolve, functions occasionally become obsolete due to:
 
As programming languages evolve, functions occasionally become obsolete due to:
  
Advances in the language  
+
* Advances in the language  
Improved understanding of how operations should be performed effectively and securely  
+
* Improved understanding of how operations should be performed effectively and securely  
Changes in the conventions that govern certain operations  
+
* Changes in the conventions that govern certain operations  
Functions that are removed are usually replaced by newer counterparts that perform the same task in some different and hopefully improved way.
+
* Functions that are removed are usually replaced by newer counterparts that perform the same task in some different and hopefully improved way.
  
 
Refer to the documentation for this function in order to determine why it is deprecated or obsolete and to learn about alternative ways to achieve the same functionality. The remainder of this text discusses general problems that stem from the use of deprecated or obsolete functions.
 
Refer to the documentation for this function in order to determine why it is deprecated or obsolete and to learn about alternative ways to achieve the same functionality. The remainder of this text discusses general problems that stem from the use of deprecated or obsolete functions.

Revision as of 14:51, 29 August 2006

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

This article includes content generously donated to OWASP by MicroFocus Logo.png

Abstract

The use of deprecated or obsolete functions may indicate neglected code.

Description

As programming languages evolve, functions occasionally become obsolete due to:

  • Advances in the language
  • Improved understanding of how operations should be performed effectively and securely
  • Changes in the conventions that govern certain operations
  • Functions that are removed are usually replaced by newer counterparts that perform the same task in some different and hopefully improved way.

Refer to the documentation for this function in order to determine why it is deprecated or obsolete and to learn about alternative ways to achieve the same functionality. The remainder of this text discusses general problems that stem from the use of deprecated or obsolete functions.

Examples

The following code uses the deprecated function getpw() to verify that a plaintext password matches a user's encrypted password. If the password is valid, the function sets result to 1; otherwise it is set to 0.

	...
	getpw(uid, pwdline); 	
	for (i=0; i<3; i++){
		cryptpw=strtok(pwdline, ":");
		pwdline=0;
	}
	result = strcmp(crypt(plainpw,cryptpw), cryptpw) == 0;
	...

Although the code often behaves correctly, using the getpw() function can be problematic from a security standpoint, because it can overflow the buffer passed to its second parameter. Because of this vulnerability, getpw() has been supplanted by getpwuid(), which performs the same lookup as getpw() but returns a pointer to a statically-allocated structure to mitigate the risk.

Not all functions are deprecated or replaced because they pose a security risk. However, the presence of an obsolete function often indicates that the surrounding code has been neglected and may be in a state of disrepair. Software security has not been a priority, or even a consideration, for very long. If the program uses deprecated or obsolete functions, it raises the probability that there are security problems lurking nearby.

Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures

Categories