Monthly Archives: May 2022

CWE

CWE-1025 – Comparison Using Wrong Factors

Read Time:32 Second

Description

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

This can lead to incorrect results and resultant weaknesses. For example, the code might inadvertently compare references to objects, instead of the relevant contents of those objects, causing two “equal” objects to be considered unequal.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-697

 

Consequences

Other: Varies by Context

 

Potential Mitigations

Phase: Testing

Description: 

Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.

CVE References

CWE

CWE-1024 – Comparison of Incompatible Types

Read Time:48 Second

Description

The software performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared.

In languages that are strictly typed but support casting/conversion, such as C or C++, the programmer might assume that casting one entity to the same type as another entity will ensure that the comparison will be performed correctly, but this cannot be guaranteed. In languages that are not strictly typed, such as PHP or JavaScript, there may be implicit casting/conversion to a type that the programmer is unaware of, causing unexpected results; for example, the string “123” might be converted to a number type. See examples.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-697

 

Consequences

Other: Varies by Context

 

Potential Mitigations

Phase: Testing

Description: 

Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.

CVE References

CWE

CWE-1023 – Incomplete Comparison with Missing Factors

Read Time:31 Second

Description

The software performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.

An incomplete comparison can lead to resultant weaknesses, e.g., by operating on the wrong object or making a security decision without considering a required factor.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-697

 

Consequences

Integrity, Access Control: Alter Execution Logic, Bypass Protection Mechanism

 

Potential Mitigations

Phase: Testing

Description: 

Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.

CVE References

CWE

CWE-1022 – Use of Web Link to Untrusted Target with window.opener Access

Read Time:1 Minute, 20 Second

Description

The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.

When a user clicks a link to an external site (“target”), the target=”_blank” attribute causes the target site’s contents to be opened in a new window or tab, which runs in the same process as the original page. The window.opener object records information about the original page that offered the link. If an attacker can run script on the target page, then they could read or modify certain properties of the window.opener object, including the location property – even if the original and target site are not the same origin. An attacker can modify the location property to automatically redirect the user to a malicious site, e.g. as part of a phishing attack. Since this redirect happens in the original window/tab – which is not necessarily visible, since the browser is focusing the display on the new target page – the user might not notice any suspicious redirection.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-266

 

Consequences

Confidentiality: Alter Execution Logic

The user may be redirected to an untrusted page that contains undesired content or malicious script code.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Specify in the design that any linked external document must not be granted access to the location object of the calling page.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

CVE References

CWE

CWE-1021 – Improper Restriction of Rendered UI Layers or Frames

Read Time:1 Minute, 48 Second

Description

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.

A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-441
CWE-610
CWE-451

 

Consequences

Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data

An attacker can trick a user into performing actions that are masked and hidden from the user’s view. The impact varies widely, depending on the functionality of the underlying application. For example, in a social media application, clickjacking could be used to trik the user into changing privacy settings.

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Phase: Implementation

Description: 

This defense-in-depth technique can be used to prevent the improper usage of frames in web applications. It prioritizes the valid sources of data to be loaded into the application through the usage of declarative policies. Based on which implementation of Content Security Policy is in use, the developer should use the “frame-ancestors” directive or the “frame-src” directive to mitigate this weakness. Both directives allow for the placement of restrictions when it comes to allowing embedded content.

CVE References

  • CVE-2017-7440
    • E-mail preview feature in a desktop application allows clickjacking attacks via a crafted e-mail message
  • CVE-2017-5697
    • Hardware/firmware product has insufficient clickjacking protection in its web user interface
  • CVE-2017-4015
    • Clickjacking in data-loss prevention product via HTTP response header.
  • CVE-2016-2496
    • Tapjacking in permission dialog for mobile OS allows access of private storage using a partially-overlapping window.
  • CVE-2015-1241
    • Tapjacking in web browser related to page navigation and touch/gesture events.
  • CVE-2017-0492
    • System UI in mobile OS allows a malicious application to create a UI overlay of the entire screen to gain privileges.
CWE

CWE-102 – Struts: Duplicate Validation Forms

Read Time:46 Second

Description

The application uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.

If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This decision might not correspond to the programmer’s expectations, possibly leading to resultant weaknesses. Moreover, it indicates that the validation logic is not up-to-date, and can indicate that other, more subtle validation errors are present.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-694
CWE-1173
CWE-20

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase: Implementation

Description: 

The DTD or schema validation will not catch the duplicate occurrence of the same form name. To find the issue in the implementation, manual checks or automated static analysis could be applied to the xml configuration files.

CVE References

CWE

CWE-1007 – Insufficient Visual Distinction of Homoglyphs Presented to User

Read Time:1 Minute, 28 Second

Description

The software displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-451

 

Consequences

Integrity, Confidentiality: Other

An attacker may ultimately redirect a user to a malicious website, by deceiving the user into believing the URL they are accessing is a trusted domain. However, the attack can also be used to forge log entries by using homoglyphs in usernames. Homoglyph manipulations are often the first step towards executing advanced attacks such as stealing a user’s credentials, Cross-Site Scripting (XSS), or log forgery. If an attacker redirects a user to a malicious site, the attacker can mimic a trusted domain to steal account credentials and perform actions on behalf of the user, without the user’s knowledge. Similarly, an attacker could create a username for a website that contains homoglyph characters, making it difficult for an admin to review logs and determine which users performed which actions.

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Implementation

Description: 

CVE References

  • CVE-2013-7236
    • web forum allows impersonation of users with homoglyphs in account names
  • CVE-2012-0584
    • Improper character restriction in URLs in web browser
  • CVE-2009-0652
    • Incomplete denylist does not include homoglyphs of “/” and “?” characters in URLs
  • CVE-2017-5015
    • web browser does not convert hyphens to punycode, allowing IDN spoofing in URLs
  • CVE-2005-0233
    • homoglyph spoofing using punycode in URLs and certificates
  • CVE-2005-0234
    • homoglyph spoofing using punycode in URLs and certificates
  • CVE-2005-0235
    • homoglyph spoofing using punycode in URLs and certificates
CWE

CWE-1004 – Sensitive Cookie Without ‘HttpOnly’ Flag

Read Time:2 Minute, 6 Second

Description

The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker’s script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.

An HTTP cookie is a small piece of data attributed to a specific website and stored on the user’s computer by the user’s web browser. This data can be leveraged for a variety of purposes including saving information entered into form fields, recording user activity, and for authentication purposes. Cookies used to save or record information generated by the user are accessed and modified by script code embedded in a web page. While cookies used for authentication are created by the website’s server and sent to the user to be attached to future requests. These authentication cookies are often not meant to be accessed by the web page sent to the user, and are instead just supposed to be attached to future requests to verify authentication details.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-732

 

Consequences

Confidentiality: Read Application Data

If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.

Integrity: Gain Privileges or Assume Identity

If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.

 

Potential Mitigations

Phase: Implementation

Effectiveness: High

Description: 

Leverage the HttpOnly flag when setting a sensitive cookie in a response.

While this mitigation is effective for protecting cookies from a browser’s own scripting engine, third-party components or plugins may have their own engines that allow access to cookies. Attackers might also be able to use XMLHTTPResponse to read the headers directly and obtain the cookie.

CVE References

  • CVE-2014-3852
    • CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie.
  • CVE-2015-4138
    • Appliance for managing encrypted communications does not use HttpOnly flag.
Advisories

USN-5448-1: ncurses vulnerabilities

Read Time:1 Minute, 5 Second

It was discovered that ncurses was not properly checking array bounds
when executing the fmt_entry function, which could result in an
out-of-bounds write. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2017-10684)

It was discovered that ncurses was not properly checking user input,
which could result in it being treated as a format argument. An
attacker could possibly use this issue to expose sensitive
information or to execute arbitrary code. (CVE-2017-10685)

It was discovered that ncurses was incorrectly performing memory
management operations and was not blocking access attempts to
illegal memory locations. An attacker could possibly use this issue
to cause a denial of service. (CVE-2017-11112, CVE-2017-13729,
CVE-2017-13730, CVE-2017-13731, CVE-2017-13732, CVE-2017-13733,
CVE-2017-13734)

It was discovered that ncurses was not properly performing checks
on pointer values before attempting to access the related memory
locations, which could lead to NULL pointer dereferencing. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2017-11113)

It was discovered that ncurses was incorrectly handling loops in
libtic, which could lead to the execution of an infinite loop. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2017-13728)

Read More

Advisories

CVE-2021-4232

Read Time:16 Second

A vulnerability classified as problematic has been found in Zoo Management System 1.0. Affected is an unknown function of the file admin/manage-ticket.php. The manipulation with the input <script>alert(1)</script> leads to cross site scripting. It is possible to launch the attack remotely.

Read More