Obscured Security-relevant Information by Alternate Name
Incomplete Base
Structure: Simple
Description
The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.
Common Consequences 1
Scope: Non-RepudiationAccess Control
Impact: Hide ActivitiesGain Privileges or Assume Identity
Demonstrative Examples 1
ID : DX-175
This code prints the contents of a file if a user has permission.Code Example:
Bad
PHP
php//resolve file if its a symbolic link* if(is_link($filename)){ ``` $realFile = readlink($filename); } if(fileowner($realFile) == $user){ echo file_get_contents($realFile); return; } else{ echo 'Access denied'; writeLog($user . ' attempted to access the file '. $filename . ' on '. date('r')); } }
While the code logs a bad access attempt, it logs the user supplied name for the file, not the canonicalized file name. An attacker can obscure their target by giving the script the name of a link to the file they are attempting to access. Also note this code contains a race condition between the is_link() and readlink() functions (Race Condition Enabling Link Following).
Observed Examples 1
CVE-2002-0725Attacker performs malicious actions on a hard link to a file, obscuring the real target file.
References 1
Writing Secure Code
Michael Howard and David LeBlanc
Microsoft Press
04-12-2002
ID: REF-7
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Operation
Related Weaknesses
Taxonomy Mapping
- PLOVER