Intentional Information ExposureID: 213 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
A product's design or configuration explicitly requires the
publication of information that could be regarded as sensitive by an
administrator.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
- Operation
Common Consequences
Scope | Technical Impact | Notes |
---|
Confidentiality | Read application
data | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
| | Compartmentalize your system to have "safe" areas where trust
boundaries can be unambiguously drawn. Do not allow sensitive data to go
outside of the trust boundary and always be careful when interfacing
with a compartment outside of the safe area. Consider what information
might be regarded as sensitive by your product's users, even if it is
not important for the safe operation of your system. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-213 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The JSP code listed below displays a user's credit card and social
security numbers in a browser window (even though they aren't absolutely
necessary).
Observed Examples
- CVE-2002-1725 : Script calls phpinfo()
- CVE-2004-0033 : Script calls phpinfo()
- CVE-2003-1181 : Script calls phpinfo()
- CVE-2004-1422 : Script calls phpinfo()
- CVE-2004-1590 : Script calls phpinfo()
- CVE-2003-1038 : Product lists DLLs and full pathnames.
- CVE-2005-1205 : Telnet protocol allows servers to obtain sensitive environment information from clients.
- CVE-2005-0488 : Telnet protocol allows servers to obtain sensitive environment information from clients.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Intended information leak | |
References:None