The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Modes of Introduction:
– Architecture and Design
Confidentiality, Integrity: Read Application Data, Modify Application Data
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Modes of Introduction:
– Implementation
Confidentiality: Read Application Data, Read Files or Directories
If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system.
Integrity: Bypass Protection Mechanism
The DTD may include arbitrary HTTP requests that the server may execute. This could lead to other attacks leveraging the server’s trust relationship with other entities.
Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
The software could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.
Phase: Implementation, System Configuration
Description:
Many XML parsers and validators can be configured to disable external entity expansion.
The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.
Web sites and other document repositories may apply an indexing routine against a group of private documents to facilitate search. If the index’s results are available to parties who do not have access to the documents being indexed, then attackers could obtain portions of the documents by conducting targeted searches and reading the results. The risk is especially dangerous if search results include surrounding text that was not part of the search query. This issue can appear in search engines that are not configured (or implemented) to ignore critical files that should remain hidden; even without permissions to download these files directly, the remote user could read them.
Modes of Introduction:
– Architecture and Design
Confidentiality: Read Application Data
According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”
Modes of Introduction:
– Architecture and Design
Access Control: Bypass Protection Mechanism
Phase: Implementation
Description:
Set sessions/credentials expiration date.
The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
Modes of Introduction:
– Implementation
Confidentiality: Read Application Data
Phase: Implementation
Description:
Always set the secure attribute when the cookie should sent via HTTPS only.
While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.
An attacker who finds these comments can map the application’s structure and files, expose hidden parts of the site, and study the fragments of code to reverse engineer the application, which may help develop further attacks against the site.
Modes of Introduction:
– Implementation
Confidentiality: Read Application Data
Phase: Distribution
Description:
Remove comments which have sensitive information about the design/implementation of the application. Some of the comments may be exposed to the user and affect the security posture of the application.
The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.
These global variables could be overwritten by POST requests, cookies, or other methods of populating or overwriting these variables. This could be used to read or process arbitrary files by providing values such as “/etc/passwd”.
Modes of Introduction:
– Implementation
Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories
Phase: Architecture and Design
Description:
Use PHP 4 or later.
Phase: Architecture and Design
Description:
If you must support older PHP versions, write your own version of is_uploaded_file() and run it against $HTTP_POST_FILES[‘userfile’]))
Phase: Implementation
Description:
For later PHP versions, reference uploaded files using the $HTTP_POST_FILES or $_FILES variables, and use is_uploaded_file() or move_uploaded_file() to ensure that you are dealing with an uploaded file.
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Modes of Introduction:
– Implementation
Availability: DoS: Crash, Exit, or Restart
An attacker that can trigger an assert statement can still lead to a denial of service if the relevant code can be triggered by an attacker, and if the scope of the assert() extends beyond the attacker’s own session.
Phase: Implementation
Description:
Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
Phase: Implementation
Description:
Perform input validation on user data.
An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser’s security model (e.g. the zone or domain).
ActiveX controls can exercise far greater control over the operating system than typical Java or javascript. Exposed methods can be subject to various vulnerabilities, depending on the implemented behaviors of those methods, and whether input validation is performed on the provided arguments. If there is no integrity checking or origin validation, this method could be invoked by attackers.
Modes of Introduction:
– Architecture and Design
Other: Other
Phase: Implementation
Description:
If you must expose a method, make sure to perform input validation on all arguments, and protect against all possible vulnerabilities.
Phase: Architecture and Design
Description:
Use code signing, although this does not protect against any weaknesses that are already in the control.
Phase: Architecture and Design, System Configuration
Description:
Where possible, avoid marking the control as safe for scripting.
If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor “dangling.”
For example, an improper dangling cursor could arise from unhandled exceptions. The impact of the issue depends on the cursor’s role, but SQL injection attacks are commonly possible.
A cursor is a feature in Oracle PL/SQL and other languages that provides a handle for executing and accessing the results of SQL queries.
Modes of Introduction:
– Implementation
Confidentiality, Integrity: Read Application Data, Modify Application Data
Phase: Implementation
Description:
Close cursors immediately after access to them is complete. Ensure that you close cursors if exceptions occur.