All posts by rocco

CWE

CWE-562 – Return of Stack Variable Address

Read Time:1 Minute, 11 Second

Description

A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.

Because local variables are allocated on the stack, when a program returns a pointer to a local variable, it is returning a stack address. A subsequent function call is likely to re-use this same stack address, thereby overwriting the value of the pointer, which no longer corresponds to the same variable since a function’s stack frame is invalidated when it returns. At best this will cause the value of the pointer to change unexpectedly. In many cases it causes the program to crash the next time the pointer is dereferenced.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-758
CWE-672
CWE-825

 

Consequences

Availability, Integrity, Confidentiality: Read Memory, Modify Memory, Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart

If the returned stack buffer address is dereferenced after the return, then an attacker may be able to modify or read memory, depending on how the address is used. If the address is used for reading, then the address itself may be exposed, or the contents that the address points to. If the address is used for writing, this can lead to a crash and possibly code execution.

 

Potential Mitigations

Phase: Testing

Description: 

Use static analysis tools to spot return of the address of a stack variable.

CVE References

CWE

CWE-563 – Assignment to Variable without Use

Read Time:36 Second

Description

The variable’s value is assigned but never used, making it a dead store.

After the assignment, the variable is either assigned another value or goes out of scope. It is likely that the variable is simply vestigial, but it is also possible that the unused variable points out a bug.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-1164

 

Consequences

Other: Quality Degradation, Varies by Context

This weakness could be an indication of a bug in the program or a deprecated variable that was not removed and is an indication of poor quality. This could lead to further bugs and the introduction of weaknesses.

 

Potential Mitigations

Phase: Implementation

Description: 

Remove unused variables from the code.

CVE References

CWE

CWE-564 – SQL Injection: Hibernate

Read Time:1 Minute, 30 Second

Description

Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement’s meaning or to execute arbitrary SQL commands.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-89
CWE-89
CWE-89

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data

 

Potential Mitigations

Phase: Requirements

Description: 

A non-SQL style database which is not subject to this flaw may be chosen.

Phase: Architecture and Design

Description: 

Follow the principle of least privilege when creating user accounts to a SQL database. Users should only have the minimum privileges necessary to use their account. If the requirements of the system indicate that a user can read and modify their own data, then limit their privileges so they cannot read/write others’ data.

Phase: Architecture and Design

Description: 

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Phase: Implementation

Description: 

Implement SQL strings using prepared statements that bind variables. Prepared statements that do not bind variables can be vulnerable to attack.

Phase: Implementation

Description: 

Use vigorous allowlist style checking on any user input that may be used in a SQL command. Rather than escape meta-characters, it is safest to disallow them entirely. Reason: Later use of data that have been entered in the database may neglect to escape meta-characters before use. Narrowly define the set of safe characters based on the expected value of the parameter in the request.

CVE References

CWE

CWE-527 – Exposure of Version-Control Repository to an Unauthorized Control Sphere

Read Time:49 Second

Description

The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.

Version control repositories such as CVS or git store version-specific metadata and other details within subdirectories. If these subdirectories are stored on a web server or added to an archive, then these could be used by an attacker. This information may include usernames, filenames, path root, IP addresses, and detailed “diff” data about how files have been changed – which could reveal source code snippets that were never intended to be made public.

Modes of Introduction:

– Operation

 

 

Related Weaknesses

CWE-552

 

Consequences

Confidentiality: Read Application Data, Read Files or Directories

 

Potential Mitigations

Phase: Operation, Distribution, System Configuration

Description: 

Recommendations include removing any CVS directories and repositories from the production server, disabling the use of remote CVS repositories, and ensuring that the latest CVS patches and version updates have been performed.

CVE References

CWE

CWE-528 – Exposure of Core Dump File to an Unauthorized Control Sphere

Read Time:19 Second

Description

The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.

Modes of Introduction:

– Operation

 

 

Related Weaknesses

CWE-552

 

Consequences

Confidentiality: Read Application Data, Read Files or Directories

 

Potential Mitigations

Phase: System Configuration

Description: 

Protect the core dump files from unauthorized access.

CVE References

CWE

CWE-529 – Exposure of Access Control List Files to an Unauthorized Control Sphere

Read Time:31 Second

Description

The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere.

Exposure of these access control list files may give the attacker information about the configuration of the site or system. This information may then be used to bypass the intended security policy or identify trusted systems from which an attack can be launched.

Modes of Introduction:

– Operation

 

 

Related Weaknesses

CWE-552

 

Consequences

Confidentiality, Access Control: Read Application Data, Bypass Protection Mechanism

 

Potential Mitigations

Phase: System Configuration

Description: 

Protect access control list files.

CVE References

CWE

CWE-53 – Path Equivalence: ‘multiple\internalbackslash’

Read Time:37 Second

Description

A software system that accepts path input in the form of multiple internal backslash (‘multipletrailing\slash’) without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-41
CWE-165

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

CWE

CWE-530 – Exposure of Backup File to an Unauthorized Control Sphere

Read Time:47 Second

Description

A backup file is stored in a directory or archive that is made accessible to unauthorized actors.

Often, older backup files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the webroot can often be retrieved. This renaming may have been performed automatically by the web server, or manually by the administrator.

Modes of Introduction:

– Operation

 

 

Related Weaknesses

CWE-552

 

Consequences

Confidentiality: Read Application Data

At a minimum, an attacker who retrieves this file would have all the information contained in it, whether that be database calls, the format of parameters accepted by the application, or simply information regarding the architectural structure of your site.

 

Potential Mitigations

Phase: Policy

Description: 

Recommendations include implementing a security policy within your organization that prohibits backing up web application source code in the webroot.

CVE References

CWE

CWE-531 – Inclusion of Sensitive Information in Test Code

Read Time:22 Second

Description

Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions.

Modes of Introduction:

– Testing

 

 

Related Weaknesses

CWE-540

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

Phase: Distribution, Installation

Description: 

Remove test code before deploying the application into production.

CVE References

CWE

CWE-532 – Insertion of Sensitive Information into Log File

Read Time:48 Second

Description

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-538
CWE-200

 

Consequences

Confidentiality: Read Application Data

Logging sensitive user data often provides attackers with an additional, less-protected path to acquiring the information.

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Phase: Distribution

Description: 

Remove debug log files before deploying the application into production.

Phase: Operation

Description: 

Protect log files against unauthorized read/write.

Phase: Implementation

Description: 

Adjust configurations appropriately when software is transitioned from a debug state to production.

CVE References

  • CVE-2017-9615
    • verbose logging stores admin credentials in a world-readablelog file