The software, upon installation, sets incorrect permissions for an object that exposes it to an unintended actor. 1000 Weakness ChildOf 732 699 Category ChildOf 275 734 Category ChildOf 743 844 Category ChildOf 857 868 Category ChildOf 877 888 Category ChildOf 899 Primary Architecture and Design Implementation Installation Operation Medium Confidentiality Integrity Read application data Modify application data Architecture and Design Operation Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. Architecture and Design Separation of Privilege Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges. Implicit CVE-2005-1941 Executables installed world-writable. CVE-2002-1713 Home directories installed world-readable. CVE-2001-1550 World-writable log files allow information loss; world-readable file has cleartext passwords. CVE-2002-1711 World-readable directory. CVE-2002-1844 Windows product uses insecure permissions when installing on Solaris (genesis: port error). CVE-2001-0497 Insecure permissions for a shared secret key file. Overlaps cryptographic problem. CVE-1999-0426 Default permissions of a device allow IP spoofing. Mark Dowd John McDonald Justin Schuh The Art of Software Security Assessment Chapter 3, "Insecure Defaults", Page 69. 1st Edition Addison Wesley 2006 Insecure Default Permissions Create files with appropriate access permissions FIO06-C Create files with appropriate access permission FIO01-J Create files with appropriate access permissions FIO06-CPP 1 127 169 19 81 PLOVER Eric Dalci Cigital 2008-07-01 updated Time_of_Introduction CWE Content Team MITRE 2008-09-08 updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities CWE Content Team MITRE 2008-11-24 updated Relationships, Taxonomy_Mappings CWE Content Team MITRE 2009-05-27 updated Description, Name CWE Content Team MITRE 2011-06-01 updated Common_Consequences, Relationships, Taxonomy_Mappings CWE Content Team MITRE 2011-09-13 updated Relationships, Taxonomy_Mappings CWE Content Team MITRE 2012-05-11 updated References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings CWE Content Team MITRE 2012-10-30 updated Potential_Mitigations Insecure Default Permissions