The designer must ensure the application does not store configuration and control files in the same directory as user data.

From Application Security and Development Security Technical Implementation Guide

Part of ASDV-PL-002960

Associated with: CCI-000345

SV-84931r1_rule The designer must ensure the application does not store configuration and control files in the same directory as user data.

Vulnerability discussion

Application configuration settings and user data are required to be stored in separate locations in order to prevent application users from possibly being able to access application configuration settings or application data files. Without proper access controls and separation of application configuration settings from user data, there is the potential that existing code or configuration settings could be changed by users. These changes in code can lead to a Denial of Service (DoS) attack or allow malicious code to be placed within the application. In addition, collocating application data and code complicates many issues such as backup, recovery, directory access privilege, and upgrades.

Check content

Review the application documentation and interview the application administrator. Ask the application administrator or examine the application documentation to determine the file location of the application configuration settings and user data. Identify the directory where the application code, configuration settings and other application control data are located. Identify where user data is stored. Examine file permissions to application folder. If the application user data is located in the same directory as the application configuration settings or control files, or if the file permissions allow application users write access to application configuration settings, this is a finding.

Fix text

Separate the application user data into a different directory than the application code and user file permissions to restrict user access to application configuration settings.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer