QwikSec

Security Database

CVE

CWE

Training

CWE Database
/

CWE-942

Back to CWE list

CWE-942

Permissive Cross-domain Security Policy with Untrusted Domains

Variant
Incomplete

Description

The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.

{"xhtml:p":["If a cross-domain policy file includes domains\n that should not be trusted, such as when using wildcards\n under a high-level domain, then the application could be\n attacked by these untrusted domains. In many cases, the\n attack can be launched without the victim even being aware\n of it."]}

Common Consequences

Scope

Confidentiality
Integrity
Availability
Access Control

Impact

Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Read Application Data, Varies by Context

Potential Mitigations

Architecture and Design
Operation

Define a restrictive Content Security Policy [REF-1486] or cross-domain policy file.

Architecture and Design
Operation

Avoid using wildcards in the CSP / cross-domain policy file. Any domain matching the wildcard expression will be implicitly trusted, and can perform two-way interaction with the target server.

Architecture and Design
Operation

For Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server.

CVE-2012-2292

Product has a Silverlight cross-domain policy that does not restrict access to another application, which allows remote attackers to bypass the Same Origin Policy.

CVE-2014-2049

The default Flash Cross Domain policies in a product allows remote attackers to access user files.

CVE-2007-6243

Chain: Adobe Flash Player does not sufficiently restrict the interpretation and usage of cross-domain policy files, which makes it easier for remote attackers to conduct cross-domain and cross-site scripting (XSS) attacks.

CVE-2008-4822

Chain: Adobe Flash Player and earlier does not properly interpret policy files, which allows remote attackers to bypass a non-root domain policy.

CVE-2010-3636

Chain: Adobe Flash Player does not properly handle unspecified encodings during the parsing of a cross-domain policy file, which allows remote web servers to bypass intended access restrictions via unknown vectors.

Applicable Platforms

Not Language-Specific

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now