Intended Information Leak
Weakness ID: 213 (Weakness Base)Status: Draft
+ Description

Description Summary

A product's design or configuration explicitly requires the publication of information that could be regarded as sensitive by an administrator.
+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms

Languages

All

+ Demonstrative Examples

Example 1

The JSP code listed below displays a user's credit card and social security numbers in a browser window (even though they aren't absolutely necessary).

(Bad Code)
Example Language: JSPĀ 
Social Security Number: <%= ssn %></br>Credit Card Number: <%= ccn %>
+ Observed Examples
ReferenceDescription
CVE-2002-1725Script calls phpinfo()
CVE-2004-0033Script calls phpinfo()
CVE-2003-1181Script calls phpinfo()
CVE-2004-1422Script calls phpinfo()
CVE-2004-1590Script calls phpinfo()
CVE-2003-1038Product lists DLLs and full pathnames.
CVE-2005-1205Telnet protocol allows servers to obtain sensitive environment information from clients.
CVE-2005-0488Telnet protocol allows servers to obtain sensitive environment information from clients.
+ Potential Mitigations

Compartmentalize your system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Consider what information might be regarded as sensitive by your product's users, even if it is not important for the safe operation of your system.

+ Other Notes

This overlaps other categories, but it is distinct from the error message infoleaks.

It's not always clear whether an infoleak is intentional or not. For example, CVE-2005-3261 identifies a PHP script that lists file versions, but it could be that the developer did not intend for this information to be public, but introduced a direct request issue instead.

In vulnerability theory terms, this covers cases in which the developer's Intended Policy allows the information to be made available, but the information might be in violation of a Universal Policy in which the product's administrator should have control over which

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class200Information Exposure
Development Concepts (primary)699
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERIntended information leak
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, Taxonomy Mappings
Back to top