Skip to main content

Lack of data validation - Out of range

Description

Authenticated user in a domain that restricts certain functionalities such as Employee Management, can bypass the restrictions by using absolute paths to these functionalities.

Impact

Access the employee management panel from an unauthorized domain.

Recommendation

Verify that domains that have restricted certain functionalities cannot access them through absolute paths of these functionalities.

Threat

Authenticated user on the Internet.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 4.3
    • Temporal: 4.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application uses user input after validating it on the server side

public void grantAccess(user){
AuthenticationContext context = new AuthenticationContext(AUTHORITY, false, service);
AuthenticationResult result = future.get(user.id, user.domain);
if (result==True) {
File requestedFile = getFile(user.request.file);
//get only allowed paths for each user before accesing domain folders or files
userPath = getuserAllowedPath(user.role);
modifyFiles(userid, userPath, requestedFile);
}
}

Non compliant code

The application uses user input without server side validation

public void grantAccess(user){
AuthenticationContext context = new AuthenticationContext(AUTHORITY, false, service);
AuthenticationResult result = future.get(user.id, user.domain);
if (result == True){
//The modify files could be used with a relative path to access files outside of the domain restrictions
modifyFiles(userid, user.requestedPath, user.request.file);
}
}

Requirements