ABSTRACT

Allowing user input to control the fields of the MQ object descriptor could enable an attacker to access or modify otherwise protected MQ resources.

EXPLANATION

If an attacker can supply values that the application then uses to determine what kinds of authorization checks to perform on opening an MQ object, the potential exists for an attacker to pass all the access control checks when attempting to open otherwise inaccessible object.



Example: The following COBOL code snippet reads values from the terminal and uses them to control MQOD-ALTERNATEUSERID and MQOD-ALTERNATESECURITYID fields of the MQ object descriptor.


...
10 MQOD.
** Alternate user identifier
15 MQOD-ALTERNATEUSERID PIC X(12).
** Alternate security identifier
15 MQOD-ALTERNATESECURITYID PIC X(40).
...
...
ACCEPT MQOD-ALTERNATEUSERID.
ACCEPT MQOD-ALTERNATESECURITYID.
CALL 'MQOPEN' USING HCONN, MQOD, OPTS, HOBJ, COMPOCODE REASON.
...


In this example, an attacker could supply values that allow them to pass access control checks on the MQ object eing opened.

In general, do not allow user-provided or otherwise untrusted data to control sensitive values.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control

[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A4 Insecure Direct Object Reference

[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object References

[4] Standards Mapping - FIPS200 - (FISMA) AC

[5] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I

[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 639

[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authorization

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.2

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.4

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8