CWE-620
Powiadomienia dla konkretnego CWE
Bądź na bieżąco z wszelkimi zmianami dotyczącymi konkretnego CWE.
Nazwa: Unverified Password Change
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
Opis CWE
This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.
Informacje ogólne
Sposoby wprowadzenia
Architecture and DesignImplementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Odpowiednie platformy
Język
Class: Not Language-Specific (Undetermined)Technologie
Class: Not Technology-Specific (Undetermined)Typowe konsekwencje
| Zakres | Wpływ | Prawdopodobieństwo |
|---|---|---|
| Access Control | Bypass Protection Mechanism, Gain Privileges or Assume Identity |
Zaobserwowane przykłady
| Odniesienia | Opis |
|---|---|
CVE-2007-0681 | Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions. |
CVE-2000-0944 | Web application password change utility doesn't check the original password. |
Potencjalne środki zaradcze
Phases : Architecture and DesignWhen prompting for a password change, force the user to provide the original password in addition to the new password.
Phases : Architecture and Design
Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.
Uwagi dotyczące mapowania podatności
Uzasadnienie : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Komentarz : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Odniesienia
REF-44
24 Deadly Sins of Software SecurityMichael Howard, David LeBlanc, John Viega.
Zgłoszenie
| Nazwa | Organizacja | Data | Data wydania | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | Draft 6 |
Modyfikacje
| Nazwa | Organizacja | Data | Komentarz |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| Veracode | Suggested OWASP Top Ten 2004 mapping | ||
| CWE Content Team | MITRE | updated Description, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Observed_Examples | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Other_Notes, Weakness_Ordinalities | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Observed_Examples, References, Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Modes_of_Introduction, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships, Type | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Relationships |
