CWE 356

Product UI does not Warn User of Unsafe Actions

Weakness ID: 356 (Weakness Base)

Status: Incomplete

Description

Description Summary

The software's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.

Extended Description

Software systems should warn users that a potentially dangerous action may occur if the user proceeds. For example, if the user downloads a file from an unknown source and attempts to execute the file on their machine, then the application's GUI can indicate that the file is unsafe.

Time of Introduction

Architecture and Design
Implementation

Applicable Platforms

Languages

All

Observed Examples

Reference	Description
CVE-1999-1055	Product does not warn user when document contains certain dangerous functions or macros.
CVE-1999-0794	Product does not warn user when document contains certain dangerous functions or macros.
CVE-2000-0277	Product does not warn user when document contains certain dangerous functions or macros.
CVE-2000-0517	Product does not warn user about a certificate if it has already been accepted for a different site. Possibly resultant.
CVE-2005-0602	File extractor does not warn user it setuid/setgid files could be extracted. Overlaps privileges/permissions.
CVE-2000-0342	E-mail client allows bypass of warning for dangerous attachments via a Windows .LNK file that refers to the attachment.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	221	Information Loss or Omission	Research Concepts (primary)1000
ChildOf	Category	355	User Interface Security Issues	Development Concepts (primary)699

Relationship Notes

Often resultant, e.g. in unhandled error conditions.

Can overlap privilege errors, conceptually at least.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Product UI does not warn user of unsafe actions

Content History

Submissions
Submission Date	Submitter	Organization	Source
	PLOVER		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time of Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Relationships, Relationship Notes, Taxonomy Mappings
2008-10-14	CWE Content Team	MITRE	Internal
2008-10-14	updated Description

Facebook rss twitter linkedin mail

CWE 356

COMPANY

STANDARDS

RECENT POSTS

MENU