1. Home
  2. CWE Database
  3. CWE-1188
Base · Medium

CWE-1188: Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

CWE-1188 · Base Level ·2 CVEs

Description

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

Potential Impact

Other

Varies by Context

Demonstrative Examples

This code attempts to login a user using credentials from a POST request:
Bad
// $user and $pass automatically set from POST request
                    if (login_user($user,$pass)) {$authorized = true;}
                    ...
                    
                  if ($authorized) {generatePage();}
Because the $authorized variable is never initialized, PHP will automatically set $authorized to any value included in the POST request if register_globals is enabled. An attacker can send a POST request with an unexpected third value 'authorized' set to 'true' and gain authorized status without supplying valid credentials.
Here is a fixed version:
Good
$user = $_POST['user'];$pass = $_POST['pass'];$authorized = false;if (login_user($user,$pass)) {$authorized = true;}
                  ...
This code avoids the issue by initializing the $authorized variable to false and explicitly retrieving the login credentials from the $_POST variable. Regardless, register_globals should never be enabled and is disabled by default in current versions of PHP.

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2022-36349insecure default variable initialization in BIOS firmware for a hardware board allows DoS
CVE-2022-42467A generic database browser interface has a default mode that exposes a web server to the network, allowing queries to the database.

CWE-1419: Incorrect Initialization of Resource

The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpec...

CWE-344: Use of Invariant Value in Dynamically Changing Context

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments...

CWE-665: Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected s...

Frequently Asked Questions

What is CWE-1188?

CWE-1188 (Initialization of a Resource with an Insecure Default) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

How can CWE-1188 be exploited?

Attackers can exploit CWE-1188 (Initialization of a Resource with an Insecure Default) to varies by context. This weakness is typically introduced during the Implementation, System Configuration phase of software development.

How do I prevent CWE-1188?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-1188?

CWE-1188 is classified as a Base-level weakness (Medium abstraction). It has been observed in 2 real-world CVEs.