• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

View
 

Improper Filesystem Permissions

Page history last edited by Robert Auger 9 years, 11 months ago

Project: WASC Threat Classification

Threat Type: Weakness

Reference ID: WASC-17

 

Improper Filesystem Permissions

Improper filesystem permissions are a threat to the confidentiality, integrity and availability of a web application. The problem arises when incorrect filesystem permissions are set on files, folders, and symbolic links. When improper permissions are set, an attacker may be able to access restricted files or directories and modify or delete their contents. For example, if an anonymous user account has write permission to a file, then an attacker may be able to modify the contents of the file influencing the web application in undesirable ways. An attacker may also exploit improper symlinks to escalate their privileges and/or access unauthorized files; for example, a symlink that points to a directory outside of the web root.

 

The following are some of the permissions associated with files

– Read
- Write
- Modify
- Execute
- List Folder Contents
- Traverse Folder
- List Folder
- Read Attributes
- Read Extended Attributes
- Create Files/Write Data
- Create Folders/Append Data
- Write Attributes
- Write Extended Attributes
- Delete Subfolders and Files
- Delete Read Permissions
- Change Permissions
- Take Ownership and Synchronize. 

Every file, directory and symlink on the operating system and web server has a set of permissions associated with it.

 

Web servers use an operating system account to access the resources offered by an underlying filesystem. The operating system account has a set of permissions to access the source code and/or execute server side scripts. When the user's browser requests a file, the web server decides how to serve the file based on the file type and the pre-defined security settings. In the case of a client requesting an HTML file, the web server attempts to load the file from the file system using it's operating system system account. Depending on the permissions assigned to the file the web server will either serve the file or return a 403 permission denied error. If the client requests a script (e.g. default.jsp), then the web server will determine the processing engine and allow it to handle the request. If the script file is marked as read only and lacks an executable permission, the web server may directly send the file to the client instead of executing the code within the JSP file.

 

Examples

1. The web server account is incorrectly given write access to the server's index file, "default.asp". An attacker accessing the web page may be able to modify the contents of the "default.asp" file.

2. The web server account is incorrectly given access to system files such as password files, password hashes and critical operating system files. An attacker may be able to access and modify those files through the web server, such as when a directory traversal vulnerability is present.

3. The web server account is incorrectly given script source access; an attacker may be able to view the source code of the web application.

 

References

"How to set, view, change, or remove special permissions for files and folders in Windows XP", Microsoft

[1] http://support.microsoft.com/kb/308419

 

"chattr", Wikipedia

[2] http://en.wikipedia.org/wiki/Chattr

 

"File System", OWASP

[3] http://www.owasp.org/index.php/File_System

 

"Improper Handling of Insufficient Permissions or Privileges", CWE

[4] http://cwe.mitre.org/data/definitions/280.html

 

"Convenience or just bad design?", Saqib Ali

[5] http://seclists.org/webappsec/2006/q3/0052.html

 

See Also 'Insufficient Authorization'

[6] http://projects.webappsec.org/Insufficient-Authorization

 

See Also 'Server Misconfiguration'

[7] http://projects.webappsec.org/Server-Misconfiguration

 

Improper Handling of Insufficient Permissions or Privileges

[8] http://cwe.mitre.org/data/definitions/280.html

Comments (0)

You don't have permission to comment on this page.