Configuration Management / External Control of System or Configuration Setting

Description

External Control of System or Configuration Setting (CWE-908) is a vulnerability that occurs when an external user is able to manipulate the system or configuration settings of a system. This type of vulnerability is typically found in web and API applications, as well as in infrastructure components, such as servers and network devices. This vulnerability can be used to bypass authentication and authorization checks, gain access to sensitive information, or alter system configurations, leading to further exploitation. According to the OWASP Testing Guide, this vulnerability can be identified by examining the source code and input validation of the system to determine if external users have the ability to manipulate system settings.

Risk

The risk of this vulnerability is high as it can lead to unauthorized access to sensitive data, bypass authentication and authorization checks, and even modify system configurations. Depending on the system and its configuration, attackers may be able to use this vulnerability to gain administrative privileges, allowing them to take full control of the system and its data.

Solution

The best way to mitigate this vulnerability is to limit the ability of external users to access and modify system settings. This can be accomplished by implementing proper authentication and authorization mechanisms, as well as input validation, to ensure that only authorized users are able to modify system settings. Additionally, system administrators should regularly review system logs to detect any unexpected and unauthorized changes to system settings.