CWE

Intentional Information Exposure

ID: 213		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: DRAFT
Abstraction Type: Base

Description

A product's design or configuration explicitly requires the publication of information that could be regarded as sensitive by an administrator.

Applicable Platforms
Language Class: All

Time Of Introduction

• Architecture and Design
• Implementation
• Operation

Common Consequences

Scope	Technical Impact	Notes
Confidentiality	Read application data

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
		Compartmentalize your system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Consider what information might be regarded as sensitive by your product's users, even if it is not important for the safe operation of your system.

Relationships

Related CWE	Type	View	Chain
CWE-213 ChildOf CWE-895	Category	CWE-888

Demonstrative Examples   (Details)

1. The JSP code listed below displays a user's credit card and social security numbers in a browser window (even though they aren't absolutely necessary).

Observed Examples

1. CVE-2002-1725 : Script calls phpinfo()
2. CVE-2004-0033 : Script calls phpinfo()
3. CVE-2003-1181 : Script calls phpinfo()
4. CVE-2004-1422 : Script calls phpinfo()
5. CVE-2004-1590 : Script calls phpinfo()
6. CVE-2003-1038 : Product lists DLLs and full pathnames.
7. CVE-2005-1205 : Telnet protocol allows servers to obtain sensitive environment information from clients.
8. CVE-2005-0488 : Telnet protocol allows servers to obtain sensitive environment information from clients.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
PLOVER		Intended information leak

References:
None