Description
One or more system settings or configuration elements can be externally controlled by a user.
Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways.
Modes of Introduction:
– Implementation
Related Weaknesses
CWE-642
CWE-610
CWE-20
Consequences
Other: Varies by Context
Potential Mitigations
Phase: Architecture and Design
Description:
Phase: Implementation, Architecture and Design
Description:
Because setting manipulation covers a diverse set of functions, any attempt at illustrating it will inevitably be incomplete. Rather than searching for a tight-knit relationship between the functions addressed in the setting manipulation category, take a step back and consider the sorts of system values that an attacker should not be allowed to control.
Phase: Implementation, Architecture and Design
Description:
In general, do not allow user-provided or otherwise untrusted data to control sensitive values. The leverage that an attacker gains by controlling these values is not always immediately obvious, but do not underestimate the creativity of the attacker.
CVE References
