CWE-766: Critical Data Element Declared Public

Description

The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.

Submission Date :

March 3, 2009, midnight

Modification Date :

2023-10-26 00:00:00+00:00

Organization :

MITRE
Extended Description

This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities.

Example Vulnerable Codes

Example - 1

The following example declares a critical variable public, making it accessible to anyone with access to the object in which it is contained.

public: char* password;

Instead, the critical data should be declared private.

private: char* password;

Even though this example declares the password to be private, there are other possible issues with this implementation, such as the possibility of recovering the password from process memory (CWE-257).

Example - 2

The following example shows a basic user account class that includes member variables for the username and password as well as a public constructor for the class and a public method to authorize access to the user account.




ExitError("Invalid username or password");
if ((strlen(username) > MAX_USERNAME_LENGTH) ||(strlen(password) > MAX_PASSWORD_LENGTH)) {}strcpy(this->username, username);strcpy(this->password, password);UserAccount(char *username, char *password){}

ExitError("Invalid username or password");
// // if the username and password in the input parameters are equal to// 
// // the username and password of this account class then authorize access// 
return 0;
// // otherwise do not authorize access// 
return 1;if ((strlen(username) > MAX_USERNAME_LENGTH) ||(strlen(password) > MAX_PASSWORD_LENGTH)) {}if (strcmp(this->username, username) ||strcmp(this->password, password))else
public:int authorizeAccess(char *username, char *password){}char username[MAX_USERNAME_LENGTH+1];char password[MAX_PASSWORD_LENGTH+1];#define MAX_PASSWORD_LENGTH 15#define MAX_USERNAME_LENGTH 15class UserAccount{};

However, the member variables username and password are declared public and therefore will allow access and changes to the member variables to anyone with access to the object. These member variables should be declared private as shown below to prevent unauthorized access and changes.


...

char username[MAX_USERNAME_LENGTH+1];char password[MAX_PASSWORD_LENGTH+1];class UserAccount{public:private:};

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

Visit http://cwe.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Nov. 05, 2024 14:39