Function Call With Incorrect Order of Arguments

Description

This vulnerability occurs when a program calls a function but supplies the arguments in the wrong order, which can cause unexpected behavior or security flaws.

Extended Description

This error happens when the sequence of values passed to a function doesn't match the order its parameters expect. For example, swapping a username and password argument could grant unintended access. While modern compilers for strongly-typed languages often catch these mistakes, they slip through more easily in languages with flexible function signatures. It's particularly common in functions that accept variable arguments, like C's `printf` format strings, or in dynamically-typed environments where type checking is minimal. Developers should rely on named parameters when available, use static analysis tools, and maintain clear documentation for function interfaces to prevent these subtle but dangerous bugs.

Common Consequences 1

Scope: Other

Impact: Quality Degradation

Potential Mitigations 2

Phase: Implementation

Use the function, procedure, or routine as specified.

Phase: Testing

Because this function call often produces incorrect behavior it will usually be detected during testing or normal operation of the product. During testing exercise all possible control paths will typically expose this weakness except in rare cases when the incorrect function call accidentally produces the correct results or if the provided argument type is very similar to the expected argument type.

Demonstrative Examples 1

ID : DX-62

The following PHP method authenticates a user given a username/password combination but is called with the parameters in reverse order.

Code Example:

Bad

PHP

php

// authenticate user* ...}

php

Observed Examples 1

CVE-2006-7049Application calls functions with arguments in the wrong order, allowing attacker to bypass intended access restrictions.