CAPEC Details
Name Manipulating Writeable Configuration Files
Likelyhood of attack Typical severity
High Very High
Summary Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.
Prerequisites Configuration files must be modifiable by the attacker
Solutions Design: Enforce principle of least privilege Design: Backup copies of all configuration files Implementation: Integrity monitoring for configuration files Implementation: Enforce audit logging on code and configuration promotion procedures. Implementation: Load configuration from separate process and memory space, for example a separate physical device like a CD
Related Weaknesses
CWE ID Description
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-99 Improper Control of Resource Identifiers ('Resource Injection')
CWE-346 Origin Validation Error
CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data
CWE-353 Missing Support for Integrity Check
CWE-354 Improper Validation of Integrity Check Value
CWE-713 OWASP Top Ten 2007 Category A2 - Injection Flaws
Related CAPECS
CAPEC ID Description
CAPEC-176 An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applications use external configuration files and libraries - modification of these entities or otherwise affecting the application's ability to use them would constitute a configuration/environment manipulation attack.