CWE-280: Improper Handling of Insufficient Permissions or Privileges
Weakness ID: 280
The application does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the application in an invalid state.
FTP server places a user in the root directory
when the user's permissions prevent access to his/her own home
Phase: Architecture and Design
Strategy: Separation of Privilege
Compartmentalize the system to have "safe" areas where trust
boundaries can be unambiguously drawn. Do not allow sensitive data to go
outside of the trust boundary and always be careful when interfacing
with a compartment outside of the safe area.
Ensure that appropriate compartmentalization is built into the system
design and that the compartmentalization serves to allow for and further
reinforce privilege separation functionality. Architects and designers
should rely on the principle of least privilege to decide when it is
appropriate to use and to drop system privileges.
Always check to see if you have successfully accessed a resource or
system functionality, and use proper error handling if it is
unsuccessful. Do this even when you are operating in a highly privileged
mode, because errors or environmental conditions might still cause a
failure. For example, environments with highly granular
permissions/privilege models, such as Windows or Linux capabilities, can
cause unexpected failures.
This can be both primary and resultant. When primary, it can expose a variety of weaknesses because a resource might not have the expected state, and subsequent operations might fail. It is often resultant from Unchecked Error Condition (CWE-391).
This type of issue is under-studied, since researchers often concentrate
on whether an object has too many permissions, instead of not enough. These
weaknesses are likely to appear in environments with fine-grained models for
permissions and privileges, which can include operating systems and other
large-scale software packages. However, even highly simplistic
permission/privilege models are likely to contain these issues if the
developer has not considered the possibility of access failure.
Within the context of vulnerability theory, privileges and permissions are
two sides of the same coin. Privileges are associated with actors, and
permissions are associated with resources. To perform access control, at
some point the software makes a decision about whether the actor (and the
privileges that have been assigned to that actor) is allowed to access the
resource (based on the permissions that have been specified for that