CWE-454 可信任变量或数据存储的外部初始化

External Initialization of Trusted Variables or Data Stores

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown

基本描述

The software initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.

扩展描述

A software system should be reluctant to trust variables that have been initialized outside of its trust boundary, especially if they are initialized by users. The variables may have been initialized incorrectly. If an attacker can initialize the variable, then they can influence what the vulnerable system will do.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 665 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: CanAlsoBe cwe_CWE_ID: 456 cwe_View_ID: 1000

适用平台

Language: [{'cwe_Name': 'PHP', 'cwe_Prevalence': 'Sometimes'}, {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}]

常见的影响

范围 影响 注释
Integrity Modify Application Data An attacker could gain access to and modify sensitive data or system information.

可能的缓解方案

Implementation

策略: Input Validation

A software system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking (e.g. input validation) is performed when relying on input from outside a trust boundary.

Architecture and Design

策略:

Avoid any external control of variables. If necessary, restrict the variables that can be modified using a whitelist, and use a different namespace or naming convention if possible.

示例代码

In the Java example below, a system property controls the debug level of the application.

bad Java

int debugLevel = Integer.getInteger("com.domain.application.debugLevel").intValue();

If an attacker is able to modify the system property, then it may be possible to coax the application into divulging sensitive information by virtue of the fact that additional debug information is printed/exposed as the debug level increases.

This code checks the HTTP POST request for a debug switch, and enables a debug mode if the switch is set.

bad PHP

$debugEnabled = false;
if ($_POST["debug"] == "true"){
$debugEnabled = true;
}
/.../

function login($username, $password){
if($debugEnabled){
echo 'Debug Activated';
phpinfo();
$isAdmin = True;
return True;
}
}

Any user can activate the debug mode, gaining administrator privileges. An attacker may also use the information printed by the phpinfo() function to further exploit the system. .

This example also exhibits Information Exposure Through Debug Information (CWE-215)

分析过的案例

标识 说明 链接
CVE-2000-0959 Does not clear dangerous environment variables, enabling symlink attack. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0959
CVE-2001-0033 Specify alternate configuration directory in environment variable, enabling untrusted path. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0033
CVE-2001-0872 Dangerous environment variable not cleansed. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0872
CVE-2001-0084 Specify arbitrary modules using environment variable. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0084

Notes

Relationship Overlaps Missing variable initialization, especially in PHP. Applicable Platform

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER External initialization of trusted variables or values
Software Fault Patterns SFP25 Tainted input to variable