CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.6)  

CWE-766: Critical Variable Declared Public

 
Critical Variable Declared Public
Weakness ID: 766 (Weakness Variant)Status: Incomplete
+ Description

Description Summary

The software declares a critical variable or field to be public when intended security policy requires it to be private.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

C++

C#

Java

+ Common Consequences
ScopeEffect
Integrity
Confidentiality

Making a critical variable public allows anyone with access to the object in which the variable is contained to alter or read the value.

+ Likelihood of Exploit

Low to Medium

+ Demonstrative Examples

Example 1

The following example declares a critical variable public, making it accessible to anyone with access to the object in which it is contained.

(Bad Code)
C++
public: char* password;

Instead, the critical data should be declared private.

(Good Code)
C++
private: char* password;

Even though this example declares the password to be private, there are other possible issues with this implementation, such as the possibility of recovering the password from process memory (CWE-257).

+ Potential Mitigations
PhaseDescription
Implementation

Data should be private, static, and final whenever possible. This will assure that your code is protected by instantiating early, preventing access, and preventing tampering.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class485Insufficient Encapsulation
Development Concepts (primary)699
Research Concepts1000
ChildOfWeakness ClassWeakness Class668Exposure of Resource to Wrong Sphere
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPFailure to protect stored data from modification
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2009-03-03Internal CWE Team
Page Last Updated: October 29, 2009