CAPEC-264 - Environment Variable Manipulation

An attacker manipulates environment variables used by an application to perform a variety of possible attacks. Changing variable values is usually undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a variable value beyond an application's ability to store it).

Severity

Likelihood

Confidentiality

Integrity

Availability

The targeted application must rely on external variables in such a way that malicious manipulation of them can subvert functionality.

The attacker must be able to manipulate the targeted environment variables, either at runtime or by accessing a configuration file or manipulating start-up values.

Design: Ensure that variables that should not be manipulated by a user are not accessible to them.