Cwe-209 Error Message Information Leak
Contents |
View Reports Mapping & Navigation About Sources Process Documents FAQs Community Use & Citations SwA On-Ramp Discussion List Discussion Archives Contact Us Scoring Prioritization CWSS
Information Leakage Examples
CWRAF CWE/SANS Top 25 Compatibility Requirements Coverage ClaimsRepresentation Compatible Products Make a information exposure through an error message solution Declaration News Calendar Free Newsletter Search the Site CWE Glossary Definition Presentation Filter: --None-- Basic Summary High Level information exposure through sent data (cwe id 201) Acquisition Development Manager Development Education Vulnerability Research Mapping-Friendly CWE-210: Information Exposure Through Self-generated Error Message Information Exposure Through Self-generated Error Message Weakness ID: 210 (Weakness Base)Status: Draft Description Description SummaryThe
Information Exposure Through An Error Message Fix
software identifies an error condition and creates its own diagnostic or error messages that contain sensitive information. Time of Introduction Architecture and Design Implementation Operation Applicable Platforms Languages All Common ConsequencesScopeEffect ConfidentialityTechnical Impact: Read application data Demonstrative ExamplesExample 1The following code uses custom configuration files for each user in the application. It checks to see if the file exists on
Application Error Message Security Vulnerability
the system before attempting to open and use the file. If the configuration file does not exist, then an error is generated, and the application exits. (Bad Code)Example Language: Perl$uname = GetUserInput("username");# avoid CWE-22, CWE-78, others.if ($uname !~ /^\w+$/){ ExitError("Bad hacker!") ; }$filename = "/home/myprog/config/" . $uname . ".txt";if (!(-e $filename)){ ExitError("Error: $filename does not exist"); }If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that is not associated with a configuration file, an attacker could get this pathname from the error message. It could then be used to exploit path traversal, symbolic link following, or other problems that may exist elsewhere in the application. Observed ExamplesReferenceDescription CVE-2005-1745Infoleak of sensitive information in error message (physical access required). Potential Mitigations Phases: Implementation; Build and CompilationStrategies: Compilation or Build Hardening; Environment HardeningDebugging information should not make its way into a production release. RelationshipsNatureTypeIDNameView(s) this relationship pertains to ChildOfWeakness Base209Information Exposure Through an Error MessageDevelopment Concepts (primary
workings, or violate privacy through a variety of application problems. Applications can also leak internal state via how long they take to process certain operations what is verbose error messages or via different responses to differing inputs, such as displaying
How To Fix Information Exposure Through Sent Data
the same error text with different error numbers. Web applications will often leak information about information leakage and improper error handling their internal state through detailed or debug error messages. Often, this information can be leveraged to launch or even automate more powerful attacks. 1 Environments https://cwe.mitre.org/data/definitions/210.html Affected 2 Vulnerability 3 Verifying Security 4 Protection 5 Samples 6 Related Articles 7 References Environments Affected All web application frameworks are vulnerable to information leakage and improper error handling. Vulnerability Applications frequently generate error messages and display them to users. Many times these error messages are quite useful to attackers, https://www.owasp.org/index.php/Top_10_2007-Information_Leakage_and_Improper_Error_Handling as they reveal implementation details or information that is useful in exploiting a vulnerability. There are several common examples of this: Detailed error handling, where inducing an error displays too much information, such as stack traces, failed SQL statements, or other debugging information Functions that produce different results based upon different inputs. For example, supplying the same username but different passwords to a login function should produce the same text for no such user, and bad password. However, many systems produce different error codes Verifying Security The goal is to verify that the application does not leak information via error messages or other means. Automated approaches: Vulnerability scanning tools will usually cause error messages to be generated. Static analysis tools can search for the use of APIs that leak information, but will not be able to verify the meaning of those messages. Manual approaches: A code review can search for impr
Vulnerability DNA APIvDNA : Vulnerability DNA API DocumentationCWE : Common Weakness EnumerationCAPEC : Common Pattern EnumerationDPE : Default Password EnumerationCPE : Common Plateform EnumerationOVAL RepositoryOVAL DefinitionsCVSS CalculatorBlogAbout USAbout usContactsCVE https://www.security-database.com/cwe.php?name=CWE-209 : Common Vulnerability EnumerationCAPEC : Common Pattern EnumerationCWE : Common Weakness EnumerationOVAL : Open Vulnerability and Assessment LanguageCWE 209 Information Exposure Through an Error Message Weakness ID: 209 (Weakness Base)Status: Draft Description Description SummaryThe software generates an error message that includes sensitive information about its environment, users, or associated data. Extended Description The error message sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. If an attack fails, an attacker may use error information provided by the server to launch another more focused attack. For example, an attempt to exploit a path traversal weakness information exposure through (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of ".." sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query. Time of IntroductionArchitecture and Design Implementation System Configuration Operation Applicable Platforms Languages PHP: (Often) All Common ConsequencesScopeEffectConfidentialityOften this will either reveal sensitive information which may be used for a later attack or private information stored in the server. Likelihood of ExploitHigh Detection Methods Manual AnalysisThis weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.Effectiveness: High Automated AnalysisAutomated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of