The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.
This can be resultant, e.g. a buffer overflow might trigger a crash before the product can log the event.
Threat Mapped score: 1.5
Industry: Finiancial
Threat priority: P4 - Informational (Low)
CVE: CVE-2004-2227
Web browser's filename selection dialog only shows the beginning portion of long filenames, which can trick users into launching executables with dangerous extensions.
CVE: CVE-2003-0412
application server does not log complete URI of a long request (truncation).
CVE: CVE-1999-1029
Login attempts are not recorded if the user disconnects before the maximum number of tries.
CVE: CVE-2002-0725
Attacker performs malicious actions on a hard link to a file, obscuring the real target file.
CVE: CVE-1999-1055
Product does not warn user when document contains certain dangerous functions or macros.
N/A
| Phase | Note |
|---|---|
| Architecture and Design | N/A |
| Implementation | N/A |
| Operation | N/A |
Intro: This code logs suspicious multiple login attempts.
Body: This code only logs failed login attempts when a certain limit is reached. If an attacker knows this limit, they can stop their attack from being discovered by avoiding the limit.
function login($userName,$password){ if(authenticate($userName,$password)){ return True; } else{ incrementLoginAttempts($userName); if(recentLoginAttempts($userName) > 5){ writeLog("Failed login attempt by User: " . $userName . " at " + date('r') ); } } }