CWE-863: Incorrect Authorization

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

Submission Date :

May 24, 2011, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource.

When access control checks are incorrectly applied, users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.

Example Vulnerable Codes

Example - 1

The following code could be for a medical records application. It displays a record to already authenticated users, confirming the user's authorization using a value stored in a cookie.




// save the cookie to send out in future responsessetcookie("role", $role, time()+60*60*2);

ShowLoginScreen();die("\n");$role = getRole('user');if ($role) {}else{}
DisplayMedicalHistory($_POST['patient_ID']);
die("You are not Authorized to view this record\n");$role = $_COOKIES['role'];if (!$role) {}if ($role == 'Reader') {}else{}

The programmer expects that the cookie will only be set when getRole() succeeds. The programmer even diligently specifies a 2-hour expiration for the cookie. However, the attacker can easily set the "role" cookie to the value "Reader". As a result, the $role variable is "Reader", and getRole() is never invoked. The attacker has bypassed the authorization system.

Visit http://cwe.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Dec. 22, 2024 2:15