CWE
Home > CWE List > CWE-566 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-566 Individual Dictionary Definition (Draft 9)

Access Control Bypass Through User-Controlled SQL Primary Key
Weakness ID
Status: Incomplete

566 (Weakness Variant)

Description

Summary

Without proper access control, executing a SQL statement that contains a user-controlled primary key can allow an attacker to view unauthorized records.

Demonstrative
Examples

The following code uses a parameterized statement, which escapes metacharacters and prevents SQL injection vulnerabilities, to construct and execute a SQL query that searches for an invoice matching the specified identifier [1]. The identifier is selected from a list of all invoices associated with the current authenticated user.

...
conn = new SqlConnection(_ConnectionString);
conn.Open();
int16 id = System.Convert.ToInt16(invoiceID.Text);
SqlCommand query = new SqlCommand( "SELECT * FROM invoices WHERE id = @id", conn);
query.Parameters.AddWithValue("@id", id);
SqlDataReader objReader = objCommand.ExecuteReader();
...

The problem is that the developer has failed to consider all of the possible values of id. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker can bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.

Context Notes

Database access control errors occur when: 1. Data enters a program from an untrusted source. 2. The data is used to specify the value of a primary key in a SQL query.

Relationships
NatureTypeIDName
ChildOfWeakness VariantWeakness VariantWeakness Variant639Access Control Bypass Through User-Controlled Key
Source Taxonomies

Anonymous Tool Vendor (under NDA) -

Page Last Updated: April 22, 2008