[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97559

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Information Exposure Through Log Files

ID: 532Date: (C)2012-05-14   (M)2017-11-16
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Variant





Description

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Extended Description

While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers.

Likelihood of Exploit: Medium

Applicable Platforms
None

Time Of Introduction

  • Architecture and Design
  • Implementation
  • Operation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
 
Read application data
 
Logging sensitive user data often provides attackers with an additional, less-protected path to acquiring the information.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
Implementation
 
 Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
 
  
Operation
 
 Protect log files against unauthorized read/write.
 
  
Implementation
 
 Adjust configurations appropriately when software is transitioned from a debug state to production.
 
  

Relationships

Related CWETypeViewChain
CWE-532 ChildOf CWE-895 Category CWE-888  

Demonstrative Examples   (Details)

  1. In the following code snippet, a user's full name and credit card number are written to a log file.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
Anonymous Tool Vendor (under NDA)  
 
 
CERT Java Secure Coding FIO13-J
 
Do not log sensitive information outside a trust boundary
 
 

References:
None

© 2013 SecPod Technologies