CWE-552: Files or Directories Accessible to External Parties

Description

The product makes files or directories accessible to unauthorized actors, even though they should not be.

Extended Description

Web servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories. In cloud technologies and containers, this weakness might present itself in the form of misconfigured storage accounts that can be read or written by a public or anonymous user.

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2005-1835

Data file under web root.

Related Attack Patterns (CAPEC)

Attack TTPs

T1003 — OS Credential Dumping (credential-access)
T1602 — Data from Configuration Repository (collection)
T1119 — Automated Collection (collection)
T1530 — Data from Cloud Storage (collection)
T1555 — Credentials from Password Stores (credential-access)
T1552.004 — Private Keys (credential-access)
T1552.003 — Bash History (credential-access)
T1552.001 — Credentials In Files (credential-access)
T1552.006 — Group Policy Preferences (credential-access)
T1039 — Data from Network Shared Drive (collection)
T1213 — Data from Information Repositories (collection)

Malware

APTs (Intrusion Sets)

Modes of Introduction

Phase	Note
Architecture and Design	N/A
Implementation	OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Operation	OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.

Common Consequences

Impact: Read Files or Directories, Modify Files or Directories — Notes:

Potential Mitigations

Implementation: When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access. (N/A)

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: The following Azure command updates the settings for a storage account:

Body: However, "Allow Blob Public Access" is set to true, meaning that anonymous/public users can access blobs.

az storage account update --name <storage-account> --resource-group <resource-group> --allow-blob-public-access true

Intro: The following Google Cloud Storage command gets the settings for a storage account named 'BUCKET_NAME':

Body: Suppose the command returns the following result:

gsutil iam get gs://BUCKET_NAME

Notes

No notes available.

← Back to CWE list