CWE

CWE-862 – Missing Authorization

May 26, 2022 rocco

Read Time:4 Minute, 5 Second

Description

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: “No access”, “Read access”, “Change access”, and “Full control”. Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

Related Weaknesses

CWE-285
CWE-284

Consequences

Confidentiality: Read Application Data, Read Files or Directories

An attacker could read sensitive data, either by reading the data directly from a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to read the data.

Integrity: Modify Application Data, Modify Files or Directories

An attacker could modify sensitive data, either by writing the data directly to a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to write the data.

Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism

An attacker could gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description:

Phase: Architecture and Design

Effectiveness:

Description:

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient’s doctor [REF-7].

Phase: Architecture and Design

Effectiveness:

Description:

Phase: Architecture and Design

Effectiveness:

Description:

Phase: System Configuration, Installation

Effectiveness:

Description:

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a “default deny” policy when defining these ACLs.

CVE References

CVE-2009-3168
- Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords.

CVE-2009-3597
- Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request.

CVE-2009-2282
- Terminal server does not check authorization for guest access.

CVE-2008-5027
- System monitoring software allows users to bypass authorization by creating custom forms.

CVE-2009-3781
- Content management system does not check access permissions for private files, allowing others to view those files.

CVE-2008-6548
- Product does not check the ACL of a page accessed using an “include” directive, allowing attackers to read unauthorized files.

CVE-2009-2960
- Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users.

CVE-2009-3230
- Database server does not use appropriate privileges for certain sensitive operations.

CVE-2009-2213
- Gateway uses default “Allow” configuration for its authorization settings.

CVE-2009-0034
- Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.

CVE-2008-6123
- Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.

CVE-2008-7109
- Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.

CVE-2008-3424
- Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access.

CVE-2005-1036
- Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap

CVE-2008-4577
- ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions.

CVE-2007-2925
- Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries.

CVE-2006-6679
- Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header.

CVE-2005-3623
- OS kernel does not check for a certain privilege before setting ACLs for files.

CVE-2005-2801
- Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied.

CVE-2001-1155
- Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.

CVE-2020-17533
- Chain: unchecked return value (CWE-252) of some functions for policy enforcement leads to authorization bypass (CWE-862)

CWE

CWE-86 – Improper Neutralization of Invalid Characters in Identifiers in Web Pages

May 26, 2022 rocco

Read Time:1 Minute, 13 Second

Description

The software does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.

Some web browsers may remove these sequences, resulting in output that may have unintended control implications. For example, the software may attempt to remove a “javascript:” URI scheme, but a “java%00script:” URI may bypass this check and still be rendered as active javascript by some browsers, allowing XSS or other attacks.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

Related Weaknesses

CWE-79
CWE-184
CWE-436

Consequences

Confidentiality, Integrity, Availability: Read Application Data, Execute Unauthorized Code or Commands

Potential Mitigations

Phase: Implementation

Effectiveness:

Description:

Phase: Implementation

Effectiveness: Defense in Depth

Description:

To help mitigate XSS attacks against the user’s session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user’s session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CVE References

CVE-2004-0595
- XSS filter doesn’t filter null characters before looking for dangerous tags, which are ignored by web browsers. Multiple Interpretation Error (MIE) and validate-before-cleanse.

CWE

CWE-85 – Doubled Character XSS Manipulations

May 26, 2022 rocco

Read Time:1 Minute, 38 Second

Description

The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

Related Weaknesses

CWE-79
CWE-675

Consequences

Confidentiality, Integrity, Availability: Read Application Data, Execute Unauthorized Code or Commands

Potential Mitigations

Phase: Implementation

Effectiveness:

Description:

Resolve all filtered input to absolute or canonical representations before processing.

Phase: Implementation

Effectiveness:

Description:

Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

Phase: Implementation

Effectiveness:

Description:

Phase: Implementation

Effectiveness:

Description:

With Struts, write all data from form beans with the bean’s filter attribute set to true.

Phase: Implementation

Effectiveness: Defense in Depth

Description:

CVE References

CVE-2002-2086
- XSS using “

Read Time:54 Second

Description

The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

Related Weaknesses

CWE-704
CWE-704
CWE-119

Consequences

Availability, Integrity, Confidentiality: Read Memory, Modify Memory, Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart

When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution.

Potential Mitigations

CVE References

CVE-2010-4577
- Type confusion in CSS sequence leads to out-of-bounds read.

CVE-2011-0611
- Size inconsistency allows code execution, first discovered when it was actively exploited in-the-wild.

CVE-2010-0258
- Improperly-parsed file containing records of different types leads to code execution when a memory location is interpreted as a different object than intended.

CWE

CWE-842 – Placement of User into Incorrect Group

May 26, 2022 rocco

Read Time:56 Second

Description

The software or the administrator places a user into an incorrect group.

If the incorrect group has more access or privileges than the intended group, the user might be able to bypass intended security policy to access unexpected resources or perform unexpected actions. The access-control system might not be able to detect malicious usage of this group membership.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

Related Weaknesses

CWE-286

Consequences

Access Control: Gain Privileges or Assume Identity

Potential Mitigations

CVE References

CVE-1999-1193
- Operating system assigns user to privileged wheel group, allowing the user to gain root privileges.

CVE-2010-3716
- Chain: drafted web request allows the creation of users with arbitrary group membership.

CVE-2008-5397
- Chain: improper processing of configuration options causes users to contain unintended group memberships.

CVE-2007-6644
- CMS does not prevent remote administrators from promoting other users to the administrator group, in violation of the intended security model.

CVE-2007-3260
- Product assigns members to the root group, allowing escalation of privileges.

CVE-2002-0080
- Chain: daemon does not properly clear groups before dropping privileges.

CWE

CWE-841 – Improper Enforcement of Behavioral Workflow

May 26, 2022 rocco

Read Time:1 Minute, 19 Second

Description

The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

Related Weaknesses

CWE-691

Consequences

Other: Alter Execution Logic

An attacker could cause the software to skip critical steps or perform them in the wrong order, bypassing its intended business logic. This can sometimes have security implications.

Potential Mitigations

CVE References

CVE-2011-0348
- Bypass of access/billing restrictions by sending traffic to an unrestricted destination before sending to a restricted destination.

CVE-2007-3012
- Attacker can access portions of a restricted page by canceling out of a dialog.

CVE-2009-5056
- Ticket-tracking system does not enforce a permission setting.

CVE-2004-2164
- Shopping cart does not close a database connection when user restores a previous order, leading to connection exhaustion.

CVE-2003-0777
- Chain: product does not properly handle dropped connections, leading to missing NULL terminator (CWE-170) and segmentation fault.

CVE-2005-3327
- Chain: Authentication bypass by skipping the first startup step as required by the protocol.

CVE-2004-0829
- Chain: File server crashes when sent a “find next” request without an initial “find first.”

CVE-2010-2620
- FTP server allows remote attackers to bypass authentication by sending (1) LIST, (2) RETR, (3) STOR, or other commands without performing the required login steps first.

CVE-2005-3296
- FTP server allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.

CWE

CWE-84 – Improper Neutralization of Encoded URI Schemes in a Web Page

May 26, 2022 rocco

Read Time:2 Minute, 8 Second

Description

The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

Related Weaknesses

CWE-79

Consequences

Integrity: Unexpected State

Potential Mitigations

Phase: Implementation

Effectiveness:

Description:

Resolve all URIs to absolute or canonical representations before processing.

Phase: Implementation

Effectiveness:

Description:

Phase: Implementation

Effectiveness:

Description:

Phase: Implementation

Effectiveness:

Description:

With Struts, write all data from form beans with the bean’s filter attribute set to true.

Phase: Implementation

Effectiveness: Defense in Depth

Description:

CVE References

CVE-2005-0563
- Cross-site scripting (XSS) vulnerability in Microsoft Outlook Web Access (OWA) component in Exchange Server 5.5 allows remote attackers to inject arbitrary web script or HTML via an email message with an encoded javascript: URL (“jav&#X41sc ript:”) in an IMG tag.

CVE-2005-2276
- Cross-site scripting (XSS) vulnerability in Novell Groupwise WebAccess 6.5 before July 11, 2005 allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an encoded javascript URI (e.g. “j&#X41vascript” in an IMG tag).

CVE-2005-0692
- Encoded script within BBcode IMG tag.

CVE-2002-0117
- Encoded “javascript” in IMG tag.

CVE-2002-0118
- Encoded “javascript” in IMG tag.

CWE

CWE-839 – Numeric Range Comparison Without Minimum Check

May 26, 2022 rocco

Read Time:1 Minute, 58 Second

Description

The program checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.

Modes of Introduction:

Likelihood of Exploit:

Related Weaknesses

CWE-1023
CWE-195
CWE-682
CWE-119
CWE-124

Consequences

Integrity, Confidentiality, Availability: Modify Application Data, Execute Unauthorized Code or Commands

An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.

Availability: DoS: Resource Consumption (Other)

in some contexts, a negative value could lead to resource consumption.

Confidentiality, Integrity: Modify Memory, Read Memory

If a negative value is used to access memory, buffers, or other indexable structures, it could access memory outside the bounds of the buffer.

Potential Mitigations

Phase: Implementation

Effectiveness:

Description:

If the number to be used is always expected to be positive, change the variable type from signed to unsigned or size_t.

Phase: Implementation

Effectiveness:

Description:

If the number to be used could have a negative value based on the specification (thus requiring a signed value), but the number should only be positive to preserve code correctness, then include a check to ensure that the value is positive.

CVE References

CVE-2010-1866
- Chain: integer overflow causes a negative signed value, which later bypasses a maximum-only check, leading to heap-based buffer overflow.

CVE-2009-1099
- Chain: 16-bit counter can be interpreted as a negative value, compared to a 32-bit maximum value, leading to buffer under-write.

CVE-2011-0521
- Chain: kernel’s lack of a check for a negative value leads to memory corruption.

CVE-2010-3704
- Chain: parser uses atoi() but does not check for a negative value, which can happen on some platforms, leading to buffer under-write.

CVE-2010-2530
- Chain: Negative value stored in an int bypasses a size check and causes allocation of large amounts of memory.

CVE-2009-3080
- Chain: negative offset value to IOCTL bypasses check for maximum index, then used as an array index for buffer under-read.

CVE-2008-6393
- chain: file transfer client performs signed comparison, leading to integer overflow and heap-based buffer overflow.

CVE-2008-4558
- chain: negative ID in media player bypasses check for maximum index, then used as an array index for buffer under-read.

CWE

CWE-838 – Inappropriate Encoding for Output Context

May 26, 2022 rocco

Read Time:1 Minute, 6 Second

Description

The software uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.

Modes of Introduction:

Likelihood of Exploit:

Related Weaknesses

CWE-116
CWE-116

Consequences

Integrity, Confidentiality, Availability: Modify Application Data, Execute Unauthorized Code or Commands

An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.

Potential Mitigations

Phase: Implementation

Effectiveness:

Description:

Use context-aware encoding. That is, understand which encoding is being used by the downstream component, and ensure that this encoding is used. If an encoding can be specified, do so, instead of assuming that the default encoding is the same as the default being assumed by the downstream component.

Phase: Architecture and Design

Effectiveness:

Description:

Where possible, use communications protocols or data formats that provide strict boundaries between control and data. If this is not feasible, ensure that the protocols or formats allow the communicating components to explicitly state which encoding/decoding method is being used. Some template frameworks provide built-in support.

Phase: Architecture and Design

Effectiveness:

Description:

CVE References

CVE-2009-2814
- Server does not properly handle requests that do not contain UTF-8 data; browser assumes UTF-8, allowing XSS.

CWE

CWE-837 – Improper Enforcement of a Single, Unique Action

May 26, 2022 rocco

Read Time:1 Minute, 26 Second

Description

The software requires that an actor should only be able to perform an action once, or to have only one unique action, but the software does not enforce or improperly enforces this restriction.

In various applications, a user is only expected to perform a certain action once, such as voting, requesting a refund, or making a purchase. When this restriction is not enforced, sometimes this can have security implications. For example, in a voting application, an attacker could attempt to “stuff the ballot box” by voting multiple times. If these votes are counted separately, then the attacker could directly affect who wins the vote. This could have significant business impact depending on the purpose of the software.

Modes of Introduction:

Likelihood of Exploit:

Related Weaknesses

CWE-799

Consequences

Other:

An attacker might be able to gain advantage over other users by performing the action multiple times, or affect the correctness of the software.

Potential Mitigations

CVE References

CVE-2008-0294
- Ticket-booking web application allows a user to lock a seat more than once.

CVE-2005-4051
- CMS allows people to rate downloads by voting more than once.

CVE-2002-216
- Polling software allows people to vote more than once by setting a cookie.

CVE-2003-1433
- Chain: lack of validation of a challenge key in a game allows a player to register multiple times and lock other players out of the game.

CVE-2002-1018
- Library feature allows attackers to check out the same e-book multiple times, preventing other users from accessing copies of the e-book.

CVE-2009-2346
- Protocol implementation allows remote attackers to cause a denial of service (call-number exhaustion) by initiating many message exchanges.

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

News, Advisories and much more