[Forgot Password]
Login  Register Subscribe

23631

 
 

115038

 
 

96174

 
 

909

 
 

78077

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Unverified Password Change

ID: 620Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: DRAFT
Abstraction Type: Variant





Description

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

Extended Description

This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.

Applicable Platforms
Language Class: All

Time Of Introduction

  • Architecture and Design
  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Access_Control
 
Bypass protection mechanism
Gain privileges / assume identity
 
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
 
 When prompting for a password change, force the user to provide the original password in addition to the new password.
 
  
Architecture and Design
 
 Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.
 
  

Relationships

Related CWETypeViewChain
CWE-620 ChildOf CWE-898 Category CWE-888  

Demonstrative Examples   (Details)

  1. This code changes a user's password. (Demonstrative Example Id DX-56)

Observed Examples

  1. CVE-2007-0681 : Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions.
  2. CVE-2000-0944 : Web application password change utility doesn't check the original password.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
OWASP Top Ten 2004 A3
 
Broken Authentication and Session Management
 
CWE_More_Specific
 

References:

  1. Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 19: Use of Weak Password-Based Systems." Page 279'. Published on 2010.

© 2013 SecPod Technologies