The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
N/A
Threat Mapped score: 1.8
Industry: Finiancial
Threat priority: P4 - Informational (Low)
CVE: CVE-2021-22909
Chain: router's firmware update procedure uses curl with "-k" (insecure) option that disables certificate validation (CWE-295), allowing adversary-in-the-middle (AITM) compromise with a malicious firmware image (CWE-494).
CVE: CVE-2023-5227
PHP-based FAQ management app does not check the MIME type for uploaded images
CVE: CVE-2005-0406
Some image editors modify a JPEG image, but the original EXIF thumbnail image is left intact within the JPEG. (Also an interaction error).
N/A
N/A
| Phase | Note |
|---|---|
| Architecture and Design | N/A |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
| Operation | N/A |
Intro: The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet.
Body: When submitted the Java servlet's doPost method will receive the request, extract the name of the file from the Http request header, read the file contents from the request and output the file to the local upload directory.
<form action="FileUploadServlet" method="post" enctype="multipart/form-data"> Choose a file to upload: <input type="file" name="filename"/> <br/> <input type="submit" name="submit" value="Submit"/> </form>Intro: This code includes an external script to get database credentials, then authenticates a user against the database, allowing access to the application.
Body: This code does not verify that the external domain accessed is the intended one. An attacker may somehow cause the external domain name to resolve to an attack server, which would provide the information for a false database. The attacker may then steal the usernames and encrypted passwords from real user login attempts, or simply allow themself to access the application without a real user account.
//assume the password is already encrypted, avoiding CWE-312 function authenticate($username,$password){ include("http://external.example.com/dbInfo.php"); //dbInfo.php makes $dbhost, $dbuser, $dbpass, $dbname available mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql'); mysql_select_db($dbname); $query = 'Select * from users where username='.$username.' And password='.$password; $result = mysql_query($query); if(mysql_numrows($result) == 1){ mysql_close(); return true; } else{ mysql_close(); return false; } }Intro: This code either generates a public HTML user information page or a JSON response containing the same user information.
Body: The programmer is careful to not display the user's e-mail address when displaying the public HTML page. However, the e-mail address is not removed from the JSON response, exposing the user's e-mail address.
// API flag, output JSON if set $json = $_GET['json'] $username = $_GET['user'] if(!$json) { $record = getUserRecord($username); foreach($record as $fieldName => $fieldValue) { if($fieldName == "email_address") { // skip displaying user emails continue; } else{ writeToHtmlPage($fieldName,$fieldValue); } } } else { $record = getUserRecord($username); echo json_encode($record); }