Exposed Dangerous Method or Function| ID: 749 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Base |
Description
The software provides an Applications Programming Interface
(API) or similar interface for interaction with external actors, but the
interface includes a dangerous method or function that is not properly
restricted.
Extended DescriptionThis weakness can lead to a wide variety of resultant weaknesses,
depending on the behavior of the exposed method. It can apply to any number
of technologies and approaches, such as ActiveX controls, Java functions,
IOCTLs, and so on.The exposure can occur in a few different ways:1) The function/method was never intended to be exposed to outside
actors.2) The function/method was only intended to be accessible to a limited
set of actors, such as Internet-based access from a single web
site.
Likelihood of Exploit: Low to Medium
Applicable PlatformsLanguage Class: Language-Independent
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| IntegrityConfidentialityAvailabilityAccess_ControlOther | Gain privileges / assume
identityRead application
dataModify application
dataExecute unauthorized code or
commandsOther | Exposing critical functionality essentially provides an attacker with
the privilege level of the exposed functionality. This could result in
the modification or exposure of sensitive data or possibly even
execution of arbitrary code. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | If you must expose a method, make sure to perform input validation on
all arguments, limit access to authorized parties, and protect against
all possible vulnerabilities. | | |
| Architecture and DesignImplementation | Identify and Reduce Attack Surface | Identify all exposed functionality. Explicitly list all functionality
that must be exposed to some user or set of users. Identify which
functionality may be:Ensure that the implemented code follows these expectations. This
includes setting the appropriate access modifiers where applicable
(public, private, protected, etc.) or not marking ActiveX controls
safe-for-scripting. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-749 ChildOf CWE-907 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the following Java example the method removeDatabase will delete
the database with the name specified in the input parameter.
Observed Examples
- CVE-2007-6382 : arbitrary Java code execution via exposed method
- CVE-2007-1112 : security tool ActiveX control allows download or upload of files
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:
- ..
- ..
