[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Exposed Dangerous Method or Function

ID: 749Date: (C)2012-05-14   (M)2017-10-12
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base





Description

The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

Extended Description

This weakness can lead to a wide variety of resultant weaknesses, depending on the behavior of the exposed method. It can apply to any number of technologies and approaches, such as ActiveX controls, Java functions, IOCTLs, and so on.

The exposure can occur in a few different ways:

1) The function/method was never intended to be exposed to outside actors.

2) The function/method was only intended to be accessible to a limited set of actors, such as Internet-based access from a single web site.

Likelihood of Exploit: Low to Medium

Applicable Platforms
Language Class: Language-Independent

Time Of Introduction

  • Architecture and Design
  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Integrity
Confidentiality
Availability
Access_Control
Other
 
Gain privileges / assume identity
Read application data
Modify application data
Execute unauthorized code or commands
Other
 
Exposing critical functionality essentially provides an attacker with the privilege level of the exposed functionality. This could result in the modification or exposure of sensitive data or possibly even execution of arbitrary code.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
 
 If you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities.
 
  
Architecture and Design
Implementation
 
Identify and Reduce Attack Surface
 
Identify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be:

Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where applicable (public, private, protected, etc.) or not marking ActiveX controls safe-for-scripting.
 
  

Relationships

Related CWETypeViewChain
CWE-749 ChildOf CWE-907 Category CWE-888  

Demonstrative Examples   (Details)

  1. In the following Java example the method removeDatabase will delete the database with the name specified in the input parameter.

Observed Examples

  1. CVE-2007-6382 : arbitrary Java code execution via exposed method
  2. CVE-2007-1112 : security tool ActiveX control allows download or upload of files

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings
None

References:

  1. ..
  2. ..

© 2013 SecPod Technologies