Category Archives: CWE

CWE-98 – Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)

Read Time:4 Minute, 39 Second

Description

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in “require,” “include,” or similar functions.

In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the software will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.

Modes of Introduction:

– Implementation

Likelihood of Exploit: High

 

Related Weaknesses

CWE-706
CWE-829
CWE-94
CWE-426

 

Consequences

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands

The attacker may be able to specify arbitrary code to be executed from a remote location. Alternatively, it may be possible to use normal program behavior to insert php code into files on the local machine which can then be included and force the code to execute since php ignores everything in the file except for the content between php specifiers.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Phase: Architecture and Design, Operation

Effectiveness: Limited

Description: 

The effectiveness of this mitigation depends on the prevention capabilities of the specific sandbox or jail being used and might only help to reduce the scope of an attack, such as restricting the attacker to certain system calls or limiting the portion of the file system that can be accessed.

Phase: Architecture and Design, Operation

Effectiveness:

Description: 

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Phase: Implementation

Effectiveness: High

Description: 

Phase: Architecture and Design, Operation

Effectiveness:

Description: 

Phase: Architecture and Design, Implementation

Effectiveness:

Description: 

Phase: Operation

Effectiveness: Moderate

Description: 

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth.

An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization.

Phase: Operation, Implementation

Effectiveness:

Description: 

Develop and run your code in the most recent versions of PHP available, preferably PHP 6 or later. Many of the highly risky features in earlier PHP interpreters have been removed, restricted, or disabled by default.

Phase: Operation, Implementation

Effectiveness:

Description: 

Phase: Operation

Effectiveness: High

Description: 

Set allow_url_fopen to false, which limits the ability to include files from remote locations.

Be aware that some versions of PHP will still accept ftp:// and other URI schemes. In addition, this setting does not protect the code from path traversal attacks (CWE-22), which are frequently successful against the same vulnerable code that allows remote file inclusion.

CVE References

 

  • CVE-2004-0285
    • Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
  • CVE-2004-0030
    • Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
  • CVE-2004-0068
    • Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
  • CVE-2005-2157
    • Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
  • CVE-2005-2162
    • Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
  • CVE-2005-2198
    • Modification of assumed-immutable configuration variable in include file allows file inclusion via direct request.
  • CVE-2004-0128
    • Modification of assumed-immutable variable in configuration script leads to file inclusion.
  • CVE-2004-0127
    • Directory traversal vulnerability in PHP include statement.
  • CVE-2005-1971
    • Directory traversal vulnerability in PHP include statement.
  • CVE-2005-3335
    • PHP file inclusion issue, both remote and local; local include uses “..” and “%00” characters as a manipulation, but many remote file inclusion issues probably have this vector.
  • CVE-2009-1936
    • chain: library file sends a redirect if it is directly requested but continues to execute, allowing remote file inclusion and path traversal.

CWE-99 – Improper Control of Resource Identifiers (‘Resource Injection’)

Read Time:34 Second

Description

The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

 

Related Weaknesses

CWE-74
CWE-706
CWE-73

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data, Read Files or Directories, Modify Files or Directories

An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

CVE References

 

CWE-910 – Use of Expired File Descriptor

Read Time:31 Second

Description

The software uses or accesses a file descriptor after it has been closed.

After a file descriptor for a particular file or device has been released, it can be reused. The code might not write to the original file, since the reused file descriptor might reference a different file or device.

Modes of Introduction:

– Implementation

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-672

 

Consequences

Confidentiality: Read Files or Directories

The program could read data from the wrong file.

Availability: DoS: Crash, Exit, or Restart

Accessing a file descriptor that has been closed can cause a crash.

 

Potential Mitigations

CVE References

 

CWE-911 – Improper Update of Reference Count

Read Time:2 Minute, 6 Second

Description

The software uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.

Reference counts can be used when tracking how many objects contain a reference to a particular resource, such as in memory management or garbage collection. When the reference count reaches zero, the resource can be de-allocated or reused because there are no more objects that use it. If the reference count accidentally reaches zero, then the resource might be released too soon, even though it is still in use. If all objects no longer use the resource, but the reference count is not zero, then the resource might not ever be released.

Modes of Introduction:

– Implementation

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-664
CWE-672
CWE-772

 

Consequences

 

Potential Mitigations

CVE References

 

  • CVE-2002-0574
    • chain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets.
  • CVE-2004-0114
    • Reference count for shared memory not decremented when a function fails, potentially allowing unprivileged users to read kernel memory.
  • CVE-2006-3741
    • chain: improper reference count tracking leads to file descriptor consumption
  • CVE-2007-1383
    • chain: integer overflow in reference counter causes the same variable to be destroyed twice.
  • CVE-2007-1700
    • Incorrect reference count calculation leads to improper object destruction and code execution.
  • CVE-2008-2136
    • chain: incorrect update of reference count leads to memory leak.
  • CVE-2008-2785
    • chain/composite: use of incorrect data type for a reference counter allows an overflow of the counter, leading to a free of memory that is still in use.
  • CVE-2008-5410
    • Improper reference counting leads to failure of cryptographic operations.
  • CVE-2009-1709
    • chain: improper reference counting in a garbage collection routine leads to use-after-free
  • CVE-2009-3553
    • chain: reference count not correctly maintained when client disconnects during a large operation, leading to a use-after-free.
  • CVE-2009-3624
    • Reference count not always incremented, leading to crash or code execution.
  • CVE-2010-0176
    • improper reference counting leads to expired pointer dereference.
  • CVE-2010-0623
    • OS kernel increments reference count twice but only decrements once, leading to resource consumption and crash.
  • CVE-2010-4593
    • improper reference counting leads to exhaustion of IP addresses
  • CVE-2011-0695
    • Race condition causes reference counter to be decremented prematurely, leading to the destruction of still-active object and an invalid pointer dereference.
  • CVE-2012-4787
    • improper reference counting leads to use-after-free

CWE-912 – Hidden Functionality

Read Time:57 Second

Description

The software contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the software’s users or administrators.

Hidden functionality can take many forms, such as intentionally malicious code, “Easter Eggs” that contain extraneous functionality such as games, developer-friendly shortcuts that reduce maintenance or support costs such as hard-coded accounts, etc. From a security perspective, even when the functionality is not intentionally malicious or damaging, it can increase the software’s attack surface and expose additional weaknesses beyond what is already exposed by the intended functionality. Even if it is not easily accessible, the hidden functionality could be useful for attacks that modify the control flow of the application.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-684

 

Consequences

Other, Integrity: Varies by Context, Alter Execution Logic

 

Potential Mitigations

Phase: Installation

Effectiveness:

Description: 

Always verify the integrity of the software that is being installed.

Phase: Testing

Effectiveness:

Description: 

Conduct a code coverage analysis using live testing, then closely inspect any code that is not covered.

CVE References

 

CWE-913 – Improper Control of Dynamically-Managed Code Resources

Read Time:46 Second

Description

The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-664

 

Consequences

Integrity: Execute Unauthorized Code or Commands

Other, Integrity: Varies by Context, Alter Execution Logic

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

For any externally-influenced input, check the input against an allowlist of acceptable values.

Phase: Implementation, Architecture and Design

Effectiveness:

Description: 

Refactor the code so that it does not need to be dynamically managed.

CVE References

 

CWE-914 – Improper Control of Dynamically-Identified Variables

Read Time:1 Minute, 27 Second

Description

The software does not properly restrict reading from or writing to dynamically-identified variables.

Many languages offer powerful features that allow the programmer to access arbitrary variables that are specified by an input string. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can modify unintended variables that have security implications.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-99
CWE-913

 

Consequences

Integrity: Modify Application Data

An attacker could modify sensitive data or program variables.

Integrity: Execute Unauthorized Code or Commands

Other, Integrity: Varies by Context, Alter Execution Logic

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

For any externally-influenced input, check the input against an allowlist of internal program variables that are allowed to be modified.

Phase: Implementation, Architecture and Design

Effectiveness:

Description: 

Refactor the code so that internal program variables do not need to be dynamically identified.

CVE References

 

  • CVE-2006-7079
    • extract used for register_globals compatibility layer, enables path traversal
  • CVE-2007-0649
    • extract() buried in include files makes post-disclosure analysis confusing; original report had seemed incorrect.
  • CVE-2006-2828
    • import_request_variables() buried in include files makes post-disclosure analysis confusing
  • CVE-2009-0422
    • Chain: Dynamic variable evaluation allows resultant remote file inclusion and path traversal.
  • CVE-2007-2431
    • Chain: dynamic variable evaluation in PHP program used to modify critical, unexpected $_SERVER variable for resultant XSS.
  • CVE-2006-4904
    • Chain: dynamic variable evaluation in PHP program used to conduct remote file inclusion.
  • CVE-2006-4019
    • Dynamic variable evaluation in mail program allows reading and modifying attachments and preferences of other users.

CWE-915 – Improperly Controlled Modification of Dynamically-Determined Object Attributes

Read Time:2 Minute, 21 Second

Description

The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-913
CWE-502

 

Consequences

Integrity: Modify Application Data

An attacker could modify sensitive data or program variables.

Integrity: Execute Unauthorized Code or Commands

Other, Integrity: Varies by Context, Alter Execution Logic

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Phase: Architecture and Design, Implementation

Effectiveness:

Description: 

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Phase: Implementation

Effectiveness:

Description: 

For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.

Phase: Implementation, Architecture and Design

Effectiveness:

Description: 

Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.

CVE References

 

  • CVE-2012-2054
    • Mass assignment allows modification of arbitrary attributes using modified URL.
  • CVE-2012-2055
    • Source version control product allows modification of trusted key using mass assignment.
  • CVE-2008-7310
    • Attackers can bypass payment step in e-commerce software.
  • CVE-2013-1465
    • Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.
  • CVE-2012-3527
    • Use of PHP unserialize function on untrusted input in content management system might allow code execution.
  • CVE-2012-0911
    • Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.
  • CVE-2012-0911
    • Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.
  • CVE-2011-4962
    • Content management system written in PHP allows code execution through page comments.
  • CVE-2009-4137
    • Use of PHP unserialize function on cookie value allows remote code execution or upload of arbitrary files.
  • CVE-2007-5741
    • Content management system written in Python interprets untrusted data as pickles, allowing code execution.
  • CVE-2011-2520
    • Python script allows local users to execute code via pickled data.
  • CVE-2005-2875
    • Python script allows remote attackers to execute arbitrary code using pickled objects.
  • CVE-2013-0277
    • Ruby on Rails allows deserialization of untrusted YAML to execute arbitrary code.
  • CVE-2011-2894
    • Spring framework allows deserialization of objects from untrusted sources to execute arbitrary code.
  • CVE-2012-1833
    • Grails allows binding of arbitrary parameters to modify arbitrary object properties.
  • CVE-2010-3258
    • Incorrect deserialization in web browser allows escaping the sandbox.
  • CVE-2008-1013
    • Media library allows deserialization of objects by untrusted Java applets, leading to arbitrary code execution.

CWE-916 – Use of Password Hash With Insufficient Computational Effort

Read Time:1 Minute, 18 Second

Description

The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-327
CWE-327

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

If an attacker can gain access to the hashes, then the lack of sufficient computational effort will make it easier to conduct brute force attacks using techniques such as rainbow tables, or specialized hardware such as GPUs, which can be much faster than general-purpose CPUs for computing hashes.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness: High

Description: 

Phase: Implementation, Architecture and Design

Effectiveness:

Description: 

When using industry-approved techniques, use them correctly. Don’t cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.

CVE References

 

  • CVE-2008-1526
    • Router does not use a salt with a hash, making it easier to crack passwords.
  • CVE-2006-1058
    • Router does not use a salt with a hash, making it easier to crack passwords.
  • CVE-2008-4905
    • Blogging software uses a hard-coded salt when calculating a password hash.
  • CVE-2002-1657
    • Database server uses the username for a salt when encrypting passwords, simplifying brute force attacks.
  • CVE-2001-0967
    • Server uses a constant salt when encrypting passwords, simplifying brute force attacks.
  • CVE-2005-0408
    • chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.

CWE-917 – Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)

Read Time:26 Second

Description

The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-77
CWE-74
CWE-77
CWE-77

 

Consequences

Confidentiality: Read Application Data

Integrity: Execute Unauthorized Code or Commands

 

Potential Mitigations

CVE References