Name Manipulating Writeable Configuration Files
Summary Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.
Prerequisites Configuration files must be modifiable by the attacker
Solutions Design: Enforce principle of least privilege Design: Backup copies of all configuration files Implementation: Integrity monitoring for configuration files Implementation: Enforce audit logging on code and configuration promotion procedures. Implementation: Load configuration from separate process and memory space, for example a separate physical device like a CD
Related Weaknesses
CWE ID Description
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-99 Improper Control of Resource Identifiers ('Resource Injection')
CWE-346 Origin Validation Error
CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data
CWE-353 Missing Support for Integrity Check
CWE-354 Improper Validation of Integrity Check Value
CWE-713
Back to Top