Access Control (Authorization) Issues |
Weakness ID: 284 (Weakness Class) | Status: Incomplete |
Description Summary
Authorization: | The terms "authorization" and "access control" seem to be used interchangeably. |
---|
Very carefully manage the setting, management and handling of privileges. Explicitly manage trust zones in the software. |
Phase: Architecture and Design Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges. |
An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 264 | Permissions, Privileges, and Access Controls | Development Concepts (primary)699 |
ChildOf | Category | 632 | Weaknesses that Affect Files or Directories | Resource-specific Weaknesses (primary)631 |
ChildOf | Weakness Class | 693 | Protection Mechanism Failure | Research Concepts (primary)1000 |
ChildOf | Category | 723 | OWASP Top Ten 2004 Category A2 - Broken Access Control | Weaknesses in OWASP Top Ten (2004) (primary)711 |
ParentOf | Weakness Class | 285 | Improper Access Control (Authorization) | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Base | 639 | Access Control Bypass Through User-Controlled Key | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 647 | Use of Non-Canonical URL Paths for Authorization Decisions | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 782 | Exposed IOCTL with Insufficient Access Control | Development Concepts699 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Access Control List (ACL) errors | ||
WASC | 2 | Insufficient Authorization |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
19 | Embedding Scripts within Scripts |
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 6, "Determining Appropriate Access Control" Page 171. 2nd Edition. Microsoft. 2002. |
The name of this item implies that it is a category for general access control / authorization issues, although the description is limited to permissions. |
This item needs more work. Possible sub-categories include: * Trusted group includes undesired entities * Group can perform undesired actions * ACL parse error does not fail closed |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Alternate Terms, Background Details, Description, Maintenance Notes, Name, Relationships, Taxonomy Mappings | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Alternate Terms, Relationships | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Potential Mitigations | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-09-09 | Access Control Issues | |||