|
|
|
|
CWE-620 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 620 (Weakness Variant) | | Description | Summary When setting a new password for a user, the product does not require knowledge of the
original password, or using another form of
authentication. Extended Description This could be used by an attacker to
change passwords for another user, thus gaining the privileges associated with that user. | | Potential Mitigations | When prompting for a password change, force the user to provide the original password
in addition to the new password. Do not use "forgotten password" functionality. But if you must, ensure that you are
only providing information to the actual user, e.g. by using an email address or challenge
question that the legitimate user already provided in the past; do not allow the current user
to change this identity information until the correct password has been provided. | Demonstrative Examples | $user = $_GET['user']; $pass = $_GET['pass']; $checkpass = $_GET['checkpass']; if ($pass == $checkpass) { SetUserPassword($user, $pass); }
| | Observed Examples | | Reference | Description |
|---|
| CVE-2007-0681 |
| | Context Notes | This weakness can be both Primary or Resultant | | Relationships | | | Applicable Platforms | All |
|