SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF)

Download | Alert*

CWE

External Control of System or Configuration Setting

ID: 15		Date: (C)2012-05-14 (M)2022-10-10
Type: weakness		Status: INCOMPLETE
Abstraction Type: Base

Description

One or more system settings or configuration elements can be externally controlled by a user.

Extended Description

Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways.

Applicable Platforms
None

Time Of Introduction

Implementation

Related Attack Patterns

Common Consequences

Scope	Technical Impact	Notes
Other	Varies by context

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
		Compartmentalize your system and determine where the trust boundaries exist. Any input/control outside the trust boundary should be treated as potentially hostile.
Implementation Architecture and Design		Because setting manipulation covers a diverse set of functions, any attempt at illustrating it will inevitably be incomplete. Rather than searching for a tight-knit relationship between the functions addressed in the setting manipulation category, take a step back and consider the sorts of system values that an attacker should not be allowed to control.
Implementation Architecture and Design		In general, do not allow user-provided or otherwise untrusted data to control sensitive values. The leverage that an attacker gains by controlling these values is not always immediately obvious, but do not underestimate the creativity of the attacker.

Relationships

Related CWE	Type	View	Chain
CWE-15 ChildOf CWE-896	Category	CWE-888

Demonstrative Examples (Details)

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
7 Pernicious Kingdoms		Setting Manipulation

References:
None


30479



423868



248678



909



195426



282