CWE-287 – Improper Authentication

Read Time:1 Minute, 38 Second

Description

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-284
CWE-284

 

Consequences

Integrity, Confidentiality, Availability, Access Control: Read Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands

This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

CVE References

  • CVE-2009-3421
    • login script for guestbook allows bypassing authentication by setting a “login_ok” parameter to 1.
  • CVE-2009-2382
    • admin script allows authentication bypass by setting a cookie value to “LOGGEDIN”.
  • CVE-2009-1048
    • VOIP product allows authentication bypass using 127.0.0.1 in the Host header.
  • CVE-2009-2213
    • product uses default “Allow” action, instead of default deny, leading to authentication bypass.
  • CVE-2009-2168
    • chain: redirect without exit (CWE-698) leads to resultant authentication bypass.
  • CVE-2009-3107
    • product does not restrict access to a listening port for a critical service, allowing authentication to be bypassed.
  • CVE-2009-1596
    • product does not properly implement a security-related configuration setting, allowing authentication bypass.
  • CVE-2009-2422
    • authentication routine returns “nil” instead of “false” in some situations, allowing authentication bypass using an invalid username.
  • CVE-2009-3232
    • authentication update script does not properly handle when admin does not select any authentication modules, allowing authentication bypass.
  • CVE-2009-3231
    • use of LDAP authentication with anonymous binds causes empty password to result in successful authentication
  • CVE-2005-3435
    • product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks.
  • CVE-2005-0408
    • chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.

CWE-286 – Incorrect User Management

Read Time:16 Second

Description

The software does not properly manage a user within its environment.

Users can be assigned to the wrong group (class) of permissions resulting in unintended access rights to sensitive objects.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284

 

Consequences

Other: Varies by Context

 

Potential Mitigations

CVE References

CWE-285 – Improper Authorization

Read Time:3 Minute, 49 Second

Description

The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: “No access”, “Read access”, “Change access”, and “Full control”. Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-284
CWE-284

 

Consequences

Confidentiality: Read Application Data, Read Files or Directories

An attacker could read sensitive data, either by reading the data directly from a data store that is not properly restricted, or by accessing insufficiently-protected, privileged functionality to read the data.

Integrity: Modify Application Data, Modify Files or Directories

An attacker could modify sensitive data, either by writing the data directly to a data store that is not properly restricted, or by accessing insufficiently-protected, privileged functionality to write the data.

Access Control: Gain Privileges or Assume Identity

An attacker could gain privileges by modifying or reading critical data directly, or by accessing insufficiently-protected, privileged functionality.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Architecture and Design

Description: 

Ensure that you perform access control checks related to your business logic. These checks may be different than the access control checks that you apply to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient’s doctor.

Phase: Architecture and Design

Description: 

Phase: Architecture and Design

Description: 

Phase: System Configuration, Installation

Description: 

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a “default deny” policy when defining these ACLs.

CVE References

  • CVE-2009-3168
    • Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords.
  • CVE-2009-2960
    • Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users.
  • CVE-2009-3597
    • Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request.
  • CVE-2009-2282
    • Terminal server does not check authorization for guest access.
  • CVE-2009-3230
    • Database server does not use appropriate privileges for certain sensitive operations.
  • CVE-2009-2213
    • Gateway uses default “Allow” configuration for its authorization settings.
  • CVE-2009-0034
    • Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.
  • CVE-2008-6123
    • Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.
  • CVE-2008-5027
    • System monitoring software allows users to bypass authorization by creating custom forms.
  • CVE-2008-7109
    • Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.
  • CVE-2008-3424
    • Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access.
  • CVE-2009-3781
    • Content management system does not check access permissions for private files, allowing others to view those files.
  • CVE-2008-4577
    • ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions.
  • CVE-2008-6548
    • Product does not check the ACL of a page accessed using an “include” directive, allowing attackers to read unauthorized files.
  • CVE-2007-2925
    • Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries.
  • CVE-2006-6679
    • Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header.
  • CVE-2005-3623
    • OS kernel does not check for a certain privilege before setting ACLs for files.
  • CVE-2005-2801
    • Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied.
  • CVE-2001-1155
    • Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.

CWE-284 – Improper Access Control

Read Time:26 Second

Description

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

 

Consequences

Other: Varies by Context

 

Potential Mitigations

Phase: Architecture and Design, Operation

Description: 

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Phase: Architecture and Design

Description: 

CVE References

  • CVE-2010-4624
    • Bulletin board applies restrictions on number of images during post creation, but does not enforce this on editing.

CWE-283 – Unverified Ownership

Read Time:39 Second

Description

The software does not properly verify that a critical resource is owned by the proper entity.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-282

 

Consequences

Access Control: Gain Privileges or Assume Identity

An attacker could gain unauthorized access to system resources.

 

Potential Mitigations

Phase: Architecture and Design, Operation

Description: 

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Phase: Architecture and Design

Description: 

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

CVE References

  • CVE-2001-0178
    • Program does not verify the owner of a UNIX socket that is used for sending a password.
  • CVE-2004-2012
    • Owner of special device not checked, allowing root.

CWE-282 – Improper Ownership Management

Read Time:26 Second

Description

The software assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284

 

Consequences

Access Control: Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Architecture and Design, Operation

Description: 

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

CVE References

  • CVE-1999-1125
    • Program runs setuid root but relies on a configuration file owned by a non-root user.

CWE-281 – Improper Preservation of Permissions

Read Time:33 Second

Description

The software does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-732
CWE-732

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data

 

Potential Mitigations

CVE References

  • CVE-2002-2323
    • Incorrect ACLs used when restoring backups from directories that use symbolic links.
  • CVE-2001-1515
    • Automatic modification of permissions inherited from another file system.
  • CVE-2005-1920
    • Permissions on backup file are created with defaults, possibly less secure than original file.

CWE-280 – Improper Handling of Insufficient Permissions or Privileges

Read Time:56 Second

Description

The application does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the application in an invalid state.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-755

 

Consequences

Other: Other, Alter Execution Logic

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Implementation

Description: 

Always check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can cause unexpected failures.

CVE References

  • CVE-2003-0501
    • Special file system allows attackers to prevent ownership/permission change of certain entries by opening the entries before calling a setuid program.
  • CVE-2004-0148
    • FTP server places a user in the root directory when the user’s permissions prevent access to the their own home directory.

CWE-28 – Path Traversal: ‘..filedir’

Read Time:1 Minute, 7 Second

Description

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize “..” sequences that can resolve to a location that is outside of that directory.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-23

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2002-0661
    • “” not in denylist for web server, allowing path traversal attacks when the server is run in Windows and other OSes.
  • CVE-2002-0946
    • Arbitrary files may be read files via .. (dot dot) sequences in an HTTP request.
  • CVE-2002-1042
    • Directory traversal vulnerability in search engine for web server allows remote attackers to read arbitrary files via “..” sequences in queries.
  • CVE-2002-1209
    • Directory traversal vulnerability in FTP server allows remote attackers to read arbitrary files via “..” sequences in a GET request.
  • CVE-2002-1178
    • Directory traversal vulnerability in servlet allows remote attackers to execute arbitrary commands via “..” sequences in an HTTP request.

CWE-279 – Incorrect Execution-Assigned Permissions

Read Time:31 Second

Description

While it is executing, the software sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-732

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data

 

Potential Mitigations

Phase: Architecture and Design, Operation

Description: 

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Phase: Architecture and Design

Description: 

CVE References