CWE-287
Weakness ID:287(Weakness Class)
Status: Draft
sKȔF
v
[U^ꂽʂĂ邱Ƃ咣ۂɁA\tgEFAɂĂ̎咣ƂKɏؖȂƂłB
ʖ
authentification
ʖƂāApꌗł͈ʓIɁuFiauthentificationjvgp܂B
AuthC
"AuthC" web AvP[ṼZLeBɂāAuF (authentication)v ̏ȗ`ƂĎgpĂ܂B uF (authorization)v ̗ł "AuthZ" Ƃ͋ʂĎgp܂B"Auth" ݂̂ł́uF (authentication)vƁuF (authorization)v̂ǂ炩ʂȂ߁A"Auth" ݂̂ł̎gp͐܂B
Ǝ㐫̔
A[LeN`ѐv
YvbgtH[
Ɉˑ
ʓIȉe
| e͈ | e |
|---|---|
| S ANZX |
{Ǝ㐫̓\[X@\ɊւAӐ}Ȃ[UɑĘRkĂ܂\܂BꍇɂẮAU҂@擾AȂCӂ̃R[hs鋰ꂪ܂B |
U\
`
oi
ÓI
ÓI̓c[ɂA悭 Apache HTTP Server .htaccess ̂悤Ȑݒt@CAʂɗpĂFCuƂ^Cv̔Fo\łB
ʓIɁAÓI͗p̃c[ŃJX^}CYꂽFXL[ô͍łB
ɁÃ\tgEFAvł͔Cӂ̃[UmFȂŃANZX\ȋ@\܂ł܂B
LFI
蓮ÓI
{Ǝ㐫́A蓮ɂ́Aylg[VeXgAЃfOAANeBuȃZbVL^ύXłΘbIȃeXgc[gݍ킹邱ƂŁAo\łB
蓮ÓI͂̓JX^}CYꂽFJjY̐m]邱ƂɂėLłB
LF
蓮͂͊SɎꂽiʓIłBƎ㐫vyуrWlX[ɊWꍇɓɗLłB
ƎȃR[h
1:
ȉ̃R[h́A[UłɃOCĂ邩mF̂łBOCĂȂꍇÃR[h̓[U͂ꂽ[UƃpX[hŔF܂BOCɐ cookie "loggedin" ƂeۑÃ[UłɃOCς݂ł邱Ƃ uLv܂BŌɁÃR[hł̓[U cookie ɋL^ꂽOC[U "Administrator" łꍇAǗҗp̃^XNs܂B
TvR[hFPerl ij
my $q = new CGI;
if ($q->cookie('loggedin') ne "true") {
if (! AuthenticateUser($q->param('username'), $q->param('password'))) {
ExitError("Error: you need to log in first");
}
else {
# Set loggedin and user cookies.
$q->cookie(
-name => 'loggedin',
-value => 'true'
);
$q->cookie(
-name => 'user',
-value => $q->param('username')
);
}
}
if ($q->cookie('user') eq "Administrator") {
DoAdministratorTasks();
}
cOȂÃR[h͉\łBU҂̓R[h[UƃpX[h`FbNȂ悤ɁA cookie ݂̂Zbg邱Ƃ\łBU҂͈ȉ̂悤ȃwb_܂ HTTP NGXgɂ肱̉܂B
iUҁj
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
U҂ cookie loggedin ̒l "true"i^jƃZbg邱ƂɂAF`FbNSĉ܂Bcookie ̃[U "Administrator" ɐݒ肵A\tgEFÅǗҌ肵܂B
2:
</p>2009N1AU҂ Twitter T[oɊǗ҂ƂăANZXɐƂ܂B Twitter T[oOCs̉𐧌ĂȂƂłBU҂ Twitter ̃T|[g`[̃o[_AcȐ̈ʓIȃpX[hu[gtH[XUɂpX[h𐄑邱Ƃɐ܂BT|[go[ƂăANZXɐƁAǗ҉ʂɂĎYƂ 33 ̃AJEg肵A肵[UɂȂ肷܂U Twitter bZ[W𑗐M܂B
QƏF
Kim Zetter. "Weak Password Brings eHappinessf to Twitter Hacker". 2009-01-09.
<http://www.wired.com/threatlevel/2009/01/professed-twitt/>.
ꂽ
| Q | ڍ |
|---|---|
| CVE-2009-3421 | login script for guestbook allows bypassing authentication by setting a "login_ok" parameter to 1. |
| CVE-2009-2382 | admin script allows authentication bypass by setting a cookie value to "LOGGEDIN". |
| CVE-2009-1048 | VOIP product allows authentication bypass using 127.0.0.1 in the Host header. |
| CVE-2009-2213 | product uses default "Allow" action, instead of default deny, leading to authentication bypass. |
| CVE-2009-2168 | chain: redirect without exit (CWE-698) leads to resultant authentication bypass. |
| CVE-2009-3107 | product does not restrict access to a listening port for a critical service, allowing authentication to be bypassed. |
| CVE-2009-1596 | product does not properly implement a security-related configuration setting, allowing authentication bypass. |
| CVE-2009-2422 | authentication routine returns "nil" instead of "false" in some situations, allowing authentication bypass using an invalid username. |
| CVE-2009-3232 | authentication update script does not properly handle when admin does not select any authentication modules, allowing authentication bypass. |
| CVE-2009-3231 | use of LDAP authentication with anonymous binds causes empty password to result in successful authentication |
| CVE-2005-3435 | product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks. |
| CVE-2005-0408 | chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass. |
Q̊ɘa
tF[YFA[LeN`ѐv
헪FCuAt[[N
OWASP ESAPI Authentication @\AFt[[NCugpĂB
W
| Nature | Type | ID | Name | View(s) this relationship pertains to |
|---|---|---|---|---|
| ChildOf | Category | 254 | Security Features | Development Concepts (primary)699 |
| ChildOf | Weakness Class | 693 | Protection Mechanism Failure | Research Concepts (primary)1000 |
| ChildOf | Category | 718 | OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management | Weaknesses in OWASP Top Ten (2007) (primary)629 |
| ChildOf | Category | 724 | OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management | Weaknesses in OWASP Top Ten (2004) (primary)711 |
| ChildOf | Category | 812 | OWASP Top Ten 2010 Category A3 - Broken Authentication and Session Management | Weaknesses in OWASP Top Ten (2010) (primary)809 |
| ParentOf | Weakness Class | 300 | Channel Accessible by Non-Endpoint ('Man-in-the-Middle') | Development Concepts (primary)699 |
| Research Concepts (primary)1000 | ||||
| ParentOf | Weakness Variant | 301 | Reflection Attack in an Authentication Protocol | Development Concepts (primary)699 |
| Research Concepts (primary)1000 | ||||
| ParentOf | Weakness Base | 303 | Incorrect Implementation of Authentication Algorithm | Development Concepts (primary)699 |
| Research Concepts (primary)1000 | ||||
| ParentOf | Weakness Base | 304 | Missing Critical Step in Authentication | Development Concepts (primary)699 |
| ParentOf | Weakness Variant | 306 | Missing Authentication for Critical Function | Development Concepts (primary)699 |
| Research Concepts (primary)1000 | ||||
| ParentOf | Weakness Base | 307 | Improper Restriction of Excessive Authentication Attempts | Development Concepts (primary)699 |
| Research Concepts (primary)1000 | ||||
| ParentOf | Weakness Base | 308 | Use of Single-factor Authentication | Development Concepts (primary)699 |
| Research Concepts (primary)1000 | ||||
| ParentOf | Weakness Base | 309 | Use of Password System for Primary Authentication | Development Concepts (primary)699 |
| Research Concepts (primary)1000 | ||||
| ParentOf | Weakness Base | 322 | Key Exchange without Entity Authentication | Research Concepts (primary)1000 |
| ParentOf | Compound Element: Composite | 384 | Session Fixation | Development Concepts699 |
| Research Concepts (primary)1000 | ||||
| ParentOf | Weakness Class | 592 | Authentication Bypass Issues | Development Concepts (primary)699 |
| Research Concepts (primary)1000 | ||||
| ParentOf | Weakness Base | 603 | Use of Client-Side Authentication | Development Concepts (primary)699 |
| Research Concepts1000 | ||||
| ParentOf | Weakness Base | 645 | Overly Restrictive Account Lockout Mechanism | Development Concepts (primary)699 |
| Research Concepts (primary)1000 | ||||
| ParentOf | Weakness Base | 798 | Use of Hard-coded Credentials | Research Concepts (primary)1000 |
| ParentOf | Weakness Base | 804 | Guessable CAPTCHA | Development Concepts699 |
| Research Concepts1000 | ||||
| MemberOf | 635 | Weaknesses Used by NVD | Weaknesses Used by NVD (primary)635 | |
| CanFollow | Weakness Base | 304 | Missing Critical Step in Authentication | Research Concepts1000 |
| CanFollow | Weakness Base | 613 | Insufficient Session Expiration | Development Concepts699 |
| Research Concepts1000 |
W̕⑫
SQL CWFNVȂ̐Ǝ㐫̌ʂƂĔ\܂B
gDł̕
| gD܂͑gDł̕ | m[h ID | CWE̕ނƂ̓Kx | ޖ |
|---|---|---|---|
| PLOVER | Authentication Error | ||
| OWASP Top Ten 2007 | A7 | CWE ̕ڍ | Broken Authentication and Session Management |
| OWASP Top Ten 2004 | A3 | CWE ̕ڍ | Broken Authentication and Session Management |
| WASC | 1 | Insufficient Authentication |
֘AUp^[
| CAPEC-ID | Up^[ (CAPEC Version 1.5) |
|---|---|
| 22 | Exploiting Trust in Client (aka Make the Client Invisible) |
| 94 | Man in the Middle Attack |
| 57 | Utilizing REST's Trust in the System Resource to Register Man in the Middle |
| 114 | Authentication Abuse |
Q
OWASP. "Top 10 2007-Broken Authentication and Session Management". <http://www.owasp.org/index.php/Top_10_2007-A7>.
OWASP. "Guide to Authentication". <http://www.owasp.org/index.php/Guide_to_Authentication>.
Microsoft. "Authentication". <http://msdn.microsoft.com/en-us/library/aa374735(VS.85).aspx>.
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 4, "Authentication" Page 109. 2nd Edition. Microsoft. 2002.
XV
[2011N0421]
2010N1012_̃f[^ɍXV
[2009N0629]
2009N0202_̉L URL ɍ쐬
http://cwe.mitre.org/data/definitions/287.html
o^ 2011/04/21
ŏIXV 2023/04/04
