Application misconfiguration vulnerabilities occur when an application is not configured properly by the user. Examples include weak passwords, weak access control permissions, exposed configuration settings, exposed authentication stores, unnecessarily enabled functions and services, and exposed administration interfaces. Attackers usually abuse application misconfiguration vulnerabilities to gain administrative access to the application, and then leverage this access to execute arbitrary code with the privileges of the web application on the server.
All applications are affected by application misconfiguration vulnerabilities. Note that it is usually users/administrators/customers that cause this vulnerability type and are responsible for preventing it, rather than the developers. The responsibility of the developers is to document the security implications of all settings that affect the application’s information assurance posture (even if this documentation might go unread or unheeded).
The impact of an application misconfiguration vulnerability depends on its specific circumstances. Often, an attacker will attempt to gain administrative access to the application. For example, an attacker might attempt to recover exposed authentication credentials and then use them to gain unauthorized access to the application. The attacker could then attempt to leverage the elevated access privileges to inject malicious code into the application code or data, in order to gain full control over the application and execute arbitrary commands on the server with the privileges of the compromised application.
To prevent application misconfiguration vulnerabilities, harden the server.
To verify that application misconfiguration vulnerabilities are prevented, verify that the server is hardened.