Unverified Password Change |
Weakness ID: 620 (Weakness Variant) | Status: Draft |
Description Summary
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
Extended Description
This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.
Example 1
Example Language: PHP
$user = $_GET['user'];
$pass = $_GET['pass'];
$checkpass = $_GET['checkpass'];
if ($pass == $checkpass) {
SetUserPassword($user, $pass);
}
Reference | Description |
---|---|
CVE-2007-0681 | |
CVE-2000-0944 | Web application password change utility doesn't check the original password. |
When prompting for a password change, force the user to provide the original password in addition to the new password. |
Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided. |
Ordinality | Description |
---|---|
Primary | (where the weakness exists independent of other weaknesses) |
Resultant | (where the weakness is typically related to the presence of some other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 255 | Credentials Management | Development Concepts699 |
ChildOf | Weakness Base | 522 | Insufficiently Protected Credentials | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | Category | 724 | OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management | Weaknesses in OWASP Top Ten (2004) (primary)711 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
OWASP Top Ten 2004 | A3 | CWE More Specific | Broken Authentication and Session Management |
Modifications | ||||
---|---|---|---|---|
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-08-15 | Veracode | External | ||
Suggested OWASP Top Ten 2004 mapping | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Description, Relationships, Observed Example, Other Notes, Taxonomy Mappings | ||||
2008-11-24 | CWE Content Team | MITRE | Internal | |
updated Observed Examples | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Demonstrative Examples | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Other Notes, Weakness Ordinalities |