Tag Archives: CWE- 15

CWE-15 – External Control of System or Configuration Setting

Read Time:52 Second

Description

One or more system settings or configuration elements can be externally controlled by a user.

Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-642
CWE-610
CWE-20

 

Consequences

Other: Varies by Context

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Implementation, Architecture and Design

Description: 

Because setting manipulation covers a diverse set of functions, any attempt at illustrating it will inevitably be incomplete. Rather than searching for a tight-knit relationship between the functions addressed in the setting manipulation category, take a step back and consider the sorts of system values that an attacker should not be allowed to control.

Phase: Implementation, Architecture and Design

Description: 

In general, do not allow user-provided or otherwise untrusted data to control sensitive values. The leverage that an attacker gains by controlling these values is not always immediately obvious, but do not underestimate the creativity of the attacker.

CVE References