Difference between revisions of "Use of Obsolete Methods"

From OWASP
Jump to: navigation, search
 
Line 1: Line 1:
{{Template:Vulnerability}}
 
{{Template:Fortify}}
 
 
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
+
= Description =
 
+
==Description==
+
 
The use of deprecated or obsolete functions may indicate neglected code.
 
The use of deprecated or obsolete functions may indicate neglected code.
  
Line 18: Line 13:
 
Refer to the documentation for this function in order to determine why it is deprecated or obsolete and to learn about alternative ways to achieve the same functionality. The remainder of this text discusses general problems that stem from the use of deprecated or obsolete functions.
 
Refer to the documentation for this function in order to determine why it is deprecated or obsolete and to learn about alternative ways to achieve the same functionality. The remainder of this text discusses general problems that stem from the use of deprecated or obsolete functions.
  
 
+
= Risk Factors =
==Risk Factors==
+
  
 
* Talk about the [[OWASP Risk Rating Methodology|factors]] that make this vulnerability likely or unlikely to actually happen
 
* Talk about the [[OWASP Risk Rating Methodology|factors]] that make this vulnerability likely or unlikely to actually happen
Line 25: Line 19:
 
* Consider the likely [business impacts] of a successful attack
 
* Consider the likely [business impacts] of a successful attack
  
 
+
= Examples =
==Examples==
+
  
 
The following code uses the deprecated function getpw() to verify that a plaintext password matches a user's encrypted password. If the password is valid, the function sets result to 1; otherwise it is set to 0.
 
The following code uses the deprecated function getpw() to verify that a plaintext password matches a user's encrypted password. If the password is valid, the function sets result to 1; otherwise it is set to 0.
Line 44: Line 37:
 
Not all functions are deprecated or replaced because they pose a security risk. However, the presence of an obsolete function often indicates that the surrounding code has been neglected and may be in a state of disrepair. Software security has not been a priority, or even a consideration, for very long. If the program uses deprecated or obsolete functions, it raises the probability that there are security problems lurking nearby.
 
Not all functions are deprecated or replaced because they pose a security risk. However, the presence of an obsolete function often indicates that the surrounding code has been neglected and may be in a state of disrepair. Software security has not been a priority, or even a consideration, for very long. If the program uses deprecated or obsolete functions, it raises the probability that there are security problems lurking nearby.
  
 
==Related [[Attacks]]==
 
 
* [[Attack 1]]
 
* [[Attack 2]]
 
 
 
==Related [[Vulnerabilities]]==
 
 
* [[Vulnerability 1]]
 
* [[Vulnerabiltiy 2]]
 
 
 
 
==Related [[Controls]]==
 
 
* [[Control 1]]
 
* [[Control 2]]
 
 
 
==Related [[Technical Impacts]]==
 
 
* [[Technical Impact 1]]
 
* [[Technical Impact 2]]
 
 
 
==References==
 
 
TBD
 
[[Category:FIXME|add links
 
 
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>
 
 
Availability Vulnerability
 
 
Authorization Vulnerability
 
 
Authentication Vulnerability
 
 
Concurrency Vulnerability
 
 
Configuration Vulnerability
 
 
Cryptographic Vulnerability
 
 
Encoding Vulnerability
 
 
Error Handling Vulnerability
 
 
Input Validation Vulnerability
 
 
Logging and Auditing Vulnerability
 
 
Session Management Vulnerability]]
 
 
__NOTOC__
 
 
 
[[Category:OWASP ASDR Project]]
 
 
[[Category:Code Quality Vulnerability]]
 
[[Category:Code Quality Vulnerability]]
 
[[Category:C]]
 
[[Category:C]]

Latest revision as of 13:38, 5 April 2014

Last revision (mm/dd/yy): 04/5/2014

Description

The use of deprecated or obsolete functions may indicate neglected code.

As programming languages evolve, functions occasionally become obsolete due to:

  • Advances in the language
  • Improved understanding of how operations should be performed effectively and securely
  • Changes in the conventions that govern certain operations
  • Functions that are removed are usually replaced by newer counterparts that perform the same task in some different and hopefully improved way.

Refer to the documentation for this function in order to determine why it is deprecated or obsolete and to learn about alternative ways to achieve the same functionality. The remainder of this text discusses general problems that stem from the use of deprecated or obsolete functions.

Risk Factors

  • Talk about the factors that make this vulnerability likely or unlikely to actually happen
  • Discuss the technical impact of a successful exploit of this vulnerability
  • Consider the likely [business impacts] of a successful attack

Examples

The following code uses the deprecated function getpw() to verify that a plaintext password matches a user's encrypted password. If the password is valid, the function sets result to 1; otherwise it is set to 0.

	...
	getpw(uid, pwdline); 	
	for (i=0; i<3; i++){
		cryptpw=strtok(pwdline, ":");
		pwdline=0;
	}
	result = strcmp(crypt(plainpw,cryptpw), cryptpw) == 0;
	...

Although the code often behaves correctly, using the getpw() function can be problematic from a security standpoint, because it can overflow the buffer passed to its second parameter. Because of this vulnerability, getpw() has been supplanted by getpwuid(), which performs the same lookup as getpw() but returns a pointer to a statically-allocated structure to mitigate the risk.

Not all functions are deprecated or replaced because they pose a security risk. However, the presence of an obsolete function often indicates that the surrounding code has been neglected and may be in a state of disrepair. Software security has not been a priority, or even a consideration, for very long. If the program uses deprecated or obsolete functions, it raises the probability that there are security problems lurking nearby.