CWE-624 – Executable Regular Expression Error

Read Time:1 Minute, 0 Second

Description

The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.

Case (2) is possible in the PHP preg_replace() function, and possibly in other languages when a user-controlled input is inserted into a string that is later parsed as a regular expression.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-77
CWE-77
CWE-77

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Implementation

Description: 

The regular expression feature in some languages allows inputs to be quoted or escaped before insertion, such as Q and E in Perl.

CVE References

  • CVE-2006-2059
    • Executable regexp in PHP by inserting “e” modifier into first argument to preg_replace
  • CVE-2005-3420
    • Executable regexp in PHP by inserting “e” modifier into first argument to preg_replace
  • CVE-2006-2878
    • Complex curly syntax inserted into the replacement argument to PHP preg_replace(), which uses the “/e” modifier
  • CVE-2006-2908
    • Function allows remote attackers to execute arbitrary PHP code via the username field, which is used in a preg_replace function call with a /e (executable) modifier.

CWE-623 – Unsafe ActiveX Control Marked Safe For Scripting

Read Time:45 Second

Description

An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.

This might allow attackers to use dangerous functionality via a web page that accesses the control, which can lead to different resultant vulnerabilities, depending on the control’s behavior.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-267
CWE-691
CWE-618

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Architecture and Design

Description: 

During development, do not mark it as safe for scripting.

Phase: System Configuration

Description: 

After distribution, you can set the kill bit for the control so that it is not accessible from Internet Explorer.

CVE References

  • CVE-2007-0617
    • control allows attackers to add malicious email addresses to bypass spam limits

CWE-622 – Improper Validation of Function Hook Arguments

Read Time:53 Second

Description

The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities.

Such hooks can be used in defensive software that runs with privileges, such as anti-virus or firewall, which hooks kernel calls. When the arguments are not validated, they could be used to bypass the protection scheme or attack the product itself.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-20

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Ensure that all arguments are verified, as defined by the API you are protecting.

Phase: Architecture and Design

Description: 

Drop privileges before invoking such functions, if possible.

CVE References

  • CVE-2007-0708
    • DoS in firewall using standard Microsoft functions
  • CVE-2006-7160
    • DoS in firewall using standard Microsoft functions
  • CVE-2007-1376
    • function does not verify that its argument is the proper type, leading to arbitrary memory write
  • CVE-2007-1220
    • invalid syscall arguments bypass code execution limits

CWE-621 – Variable Extraction Error

Read Time:57 Second

Description

The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-914
CWE-471

 

Consequences

Integrity: Modify Application Data

An attacker could modify sensitive data or program variables.

 

Potential Mitigations

Phase: Implementation

Description: 

Use allowlists of variable names that can be extracted.

Phase: Implementation

Description: 

Consider refactoring your code to avoid extraction routines altogether.

Phase: Implementation

Description: 

In PHP, call extract() with options such as EXTR_SKIP and EXTR_PREFIX_ALL; call import_request_variables() with a prefix argument. Note that these capabilities are not present in all PHP versions.

CVE References

  • CVE-2006-7079
    • extract used for register_globals compatibility layer, enables path traversal
  • CVE-2007-0649
    • extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.
  • CVE-2006-2828
    • import_request_variables() buried in include files makes post-disclosure analysis confusing

CWE-620 – Unverified Password Change

Read Time:1 Minute, 0 Second

Description

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-287

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Architecture and Design

Description: 

When prompting for a password change, force the user to provide the original password in addition to the new password.

Phase: Architecture and Design

Description: 

Do not use “forgotten password” functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.

CVE References

  • CVE-2007-0681
    • Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions.
  • CVE-2000-0944
    • Web application password change utility doesn’t check the original password.

CWE-62 – UNIX Hard Link

Read Time:1 Minute, 39 Second

Description

The software, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

Failure for a system to check for hard links can result in vulnerability to different types of attacks. For example, an attacker can escalate their privileges if a file used by a privileged program is replaced with a hard link to a sensitive file (e.g. /etc/passwd). When the process opens the file, the attacker can assume the privileges of that process.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-59

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

Phase: Architecture and Design

Description: 

CVE References

  • CVE-2001-1494
    • Hard link attack, file overwrite; interesting because program checks against soft links
  • CVE-2002-0793
    • Hard link and possibly symbolic link following vulnerabilities in embedded operating system allow local users to overwrite arbitrary files.
  • CVE-2003-0578
    • Server creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files.
  • CVE-1999-0783
    • Operating system allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system.
  • CVE-2004-1603
    • Web hosting manager follows hard links, which allows local users to read or modify arbitrary files.
  • CVE-2004-1901
    • Package listing system allows local users to overwrite arbitrary files via a hard link attack on the lockfiles.
  • CVE-2005-0342
    • The Finder in Mac OS X and earlier allows local users to overwrite arbitrary files and gain privileges by creating a hard link from the .DS_Store file to an arbitrary file.

CWE-619 – Dangling Database Cursor (‘Cursor Injection’)

Read Time:38 Second

Description

If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor “dangling.”

For example, an improper dangling cursor could arise from unhandled exceptions. The impact of the issue depends on the cursor’s role, but SQL injection attacks are commonly possible.

A cursor is a feature in Oracle PL/SQL and other languages that provides a handle for executing and accessing the results of SQL queries.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-402

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data

 

Potential Mitigations

Phase: Implementation

Description: 

Close cursors immediately after access to them is complete. Ensure that you close cursors if exceptions occur.

CVE References

CWE-618 – Exposed Unsafe ActiveX Method

Read Time:1 Minute, 1 Second

Description

An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser’s security model (e.g. the zone or domain).

ActiveX controls can exercise far greater control over the operating system than typical Java or javascript. Exposed methods can be subject to various vulnerabilities, depending on the implemented behaviors of those methods, and whether input validation is performed on the provided arguments. If there is no integrity checking or origin validation, this method could be invoked by attackers.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-749

 

Consequences

Other: Other

 

Potential Mitigations

Phase: Implementation

Description: 

If you must expose a method, make sure to perform input validation on all arguments, and protect against all possible vulnerabilities.

Phase: Architecture and Design

Description: 

Use code signing, although this does not protect against any weaknesses that are already in the control.

Phase: Architecture and Design, System Configuration

Description: 

Where possible, avoid marking the control as safe for scripting.

CVE References

  • CVE-2006-6838
    • control downloads and executes a url in a parameter

CWE-617 – Reachable Assertion

Read Time:1 Minute, 15 Second

Description

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-670
CWE-670

 

Consequences

Availability: DoS: Crash, Exit, or Restart

An attacker that can trigger an assert statement can still lead to a denial of service if the relevant code can be triggered by an attacker, and if the scope of the assert() extends beyond the attacker’s own session.

 

Potential Mitigations

Phase: Implementation

Description: 

Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)

Phase: Implementation

Description: 

Perform input validation on user data.

CVE References

  • CVE-2006-6767
    • FTP server allows remote attackers to cause a denial of service (daemon abort) via crafted commands which trigger an assertion failure.
  • CVE-2006-6811
    • Chat client allows remote attackers to cause a denial of service (crash) via a long message string when connecting to a server, which causes an assertion failure.
  • CVE-2006-5779
    • Product allows remote attackers to cause a denial of service (daemon crash) via LDAP BIND requests with long authcid names, which triggers an assertion failure.
  • CVE-2006-4095
    • Product allows remote attackers to cause a denial of service (crash) via certain queries, which cause an assertion failure.
  • CVE-2006-4574
    • Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion.

CWE-616 – Incomplete Identification of Uploaded File Variables (PHP)

Read Time:1 Minute, 15 Second

Description

The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.

These global variables could be overwritten by POST requests, cookies, or other methods of populating or overwriting these variables. This could be used to read or process arbitrary files by providing values such as “/etc/passwd”.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-345
CWE-473

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Use PHP 4 or later.

Phase: Architecture and Design

Description: 

If you must support older PHP versions, write your own version of is_uploaded_file() and run it against $HTTP_POST_FILES[‘userfile’]))

Phase: Implementation

Description: 

For later PHP versions, reference uploaded files using the $HTTP_POST_FILES or $_FILES variables, and use is_uploaded_file() or move_uploaded_file() to ensure that you are dealing with an uploaded file.

CVE References

  • CVE-2002-1460
    • Forum does not properly verify whether a file was uploaded or if the associated variables were set by POST, allowing remote attackers to read arbitrary files.
  • CVE-2002-1759
    • Product doesn’t check if the variables for an upload were set by uploading the file, or other methods such as $_POST.
  • CVE-2002-1710
    • Product does not distinguish uploaded file from other files.