CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > Community > Research > Reports > RESSPEC: Resource-Specific Nodes  
ID

RESSPEC: Resource-Specific Nodes
RESSPEC: Resource-Specific Nodes

Total Nodes in this Report: 37    Report Generated On: 2007-09-12

ID: 117 Name: Log Forging
URL: http://cwe.mitre.org/data/definitions/117.html
Writing unvalidated user input into log files can allow an attacker to forge log entries or inject malicious content into logs.
ID: 141 Name: Parameter Delimiter
URL: http://cwe.mitre.org/data/definitions/141.html
Parameter delimiters injected into an application can be used to compromise a system. As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions that result in an attack.
ID: 142 Name: Value Delimiter
URL: http://cwe.mitre.org/data/definitions/142.html
Value delimiters injected into an application can be used to compromise a system. As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions that result in an attack.
ID: 143 Name: Record Delimiter
URL: http://cwe.mitre.org/data/definitions/143.html
Record delimiters injected into an application can be used to compromise a system. as data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions that result in an attack.
ID: 144 Name: Line Delimiter
URL: http://cwe.mitre.org/data/definitions/144.html
Line delimiters injected into an application can be used to compromise a system. as data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions that result in an attack.
ID: 145 Name: Section Delimiter
URL: http://cwe.mitre.org/data/definitions/145.html
Section delimiters injected into an application can be used to compromise a system. as data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions that result in an attack. One example of a section delimiter is the boundary string in a multipart MIME message. In many cases, doubled line delimiters can serve as a section delimiter.
ID: 146 Name: Delimiter between Expressions or Commands
URL: http://cwe.mitre.org/data/definitions/146.html
Delimiters between expressions or commands injected into the software through input can be used to compromise a system. as data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions that result in an attack.
ID: 200 Name: Information Leak (information disclosure)
URL: http://cwe.mitre.org/data/definitions/200.html
An information leak is the intentional or unintentional disclosure of information that either (1) is regarded as sensitive within the product's own functionality, such as a private message, or (2) provides information about the product or its environment that could be useful in an attack but is normally not available to the attacker, such as the installation path of a product that is remotely accessible. Many information leaks are resultant (e.g. path disclosure in PHP script error), but they can also be primary (e.g. timing discrepancies in crypto). There are many different types of problems that involve information leaks. Their severity can range widely depending on the type of information that is leaked. In addition, information leaks are often resultant.
ID: 209 Name: Error Message Information Leaks
URL: http://cwe.mitre.org/data/definitions/209.html
Server messages need to be parsed before being passed on to the user.
ID: 210 Name: Product-Generated Error Message Information Leak
URL: http://cwe.mitre.org/data/definitions/210.html
The software identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.
ID: 211 Name: Product-External Error Message Information Leak
URL: http://cwe.mitre.org/data/definitions/211.html
The software performs an operation that triggers a diagnostic or error message that is not under direct control of the product, e.g. an error generated by the programming language that the product uses. This is inherently a resultant vulnerability from a Weakness within the product or an interaction error. It might be controllable by configuration, e.g. in PHP error messages.
ID: 212 Name: Cross-Boundary Cleansing Information Leak
URL: http://cwe.mitre.org/data/definitions/212.html
The software does not properly remove sensitive data from a source when preparing it for, or transferring it to, an untrusted destination. For example, an internal IP address might be discovered. This discloses information about the IP addressing scheme of the internal network and can be valuable to attackers.
ID: 214 Name: Process Information Leak to Other Processes
URL: http://cwe.mitre.org/data/definitions/214.html
Certain information about a process could be obtained from other processes within the operating system, including arguments and environment variables. This can be an externally controlled infoleak, but some protective mechanisms may exist that could make it internally controlled.
ID: 215 Name: Information Leak Through Debug Information
URL: http://cwe.mitre.org/data/definitions/215.html
ID: 312 Name: Plaintext Storage of Sensitive Information
URL: http://cwe.mitre.org/data/definitions/312.html
ID: 313 Name: Plaintext Storage in File or on Disk
URL: http://cwe.mitre.org/data/definitions/313.html
Storing sensitive data in plaintext makes the data more easily accessible than if encrypted. This significantly lowers the difficulty of exploitation by attackers.
ID: 314 Name: Plaintext Storage in Registry
URL: http://cwe.mitre.org/data/definitions/314.html
Storing sensitive data in plaintext makes the data more easily accessible than if encrypted. This significantly lowers the difficulty of exploitation by attackers.
ID: 315 Name: Plaintext Storage in Cookie
URL: http://cwe.mitre.org/data/definitions/315.html
Storing sensitive data in plaintext makes the data more easily accessible than if encrypted. This significantly lowers the difficulty of exploitation by attackers.
ID: 316 Name: Plaintext Storage in Memory
URL: http://cwe.mitre.org/data/definitions/316.html
Storing sensitive data in plaintext makes the data more easily accessible than if encrypted. This significantly lowers the difficulty of exploitation by attackers.
ID: 317 Name: Plaintext Storage in GUI
URL: http://cwe.mitre.org/data/definitions/317.html
Storing sensitive data in plaintext makes the data more easily accessible than if encrypted. This significantly lowers the difficulty of exploitation by attackers.
ID: 318 Name: Plaintext Storage in Executable
URL: http://cwe.mitre.org/data/definitions/318.html
Sensitive information should not be stored in plaintext in an executable. Attackers can reverse engineer a binary code to obtain secret data.
ID: 528 Name: Information Leak Through Core Dump Files
URL: http://cwe.mitre.org/data/definitions/528.html
A core dump file left in a directory can lead to system information exposure - maybe even logins.
ID: 529 Name: Information Leak Through Access Control List Files
URL: http://cwe.mitre.org/data/definitions/529.html
These files allow the attacker to know the setup of the security Access Control Lists. This will give the attacker information that may allow the attacker to bypassing the security of the site.
ID: 530 Name: Information Leak Through Backup (.~bk) Files
URL: http://cwe.mitre.org/data/definitions/530.html
Often, old files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the webroot can often be retrieved. At a minimum, an attacker who retrieves this file would have all the information contained in it, whether that be database calls, the format of parameters accepted by the application, or simply information regarding the architectural structure of your site.
ID: 531 Name: Information Leak Through Test Code
URL: http://cwe.mitre.org/data/definitions/531.html
Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence these applications, it is common for them to include sensitive information or functions in them.
ID: 532 Name: Information Leak Through Log Files
URL: http://cwe.mitre.org/data/definitions/532.html
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker.
ID: 533 Name: Information Leak Through Server Log Files
URL: http://cwe.mitre.org/data/definitions/533.html
A server.log file was found. This can give information on whatever application left the file. Usually this can give full path names and system information, and sometimes usernames and passwords.
ID: 534 Name: Information Leak Through Debug Log Files
URL: http://cwe.mitre.org/data/definitions/534.html
The debug log file can be accessed from the web.
ID: 535 Name: Information Leak Through Shell Error Message
URL: http://cwe.mitre.org/data/definitions/535.html
A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system.
ID: 536 Name: Information Leak Through Servlet Runtime Error Message
URL: http://cwe.mitre.org/data/definitions/536.html
A servlet error message indicates that there exists an unhandled exception in your web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system.The error message may contain the location of the file in which the offending function is located. This may disclose the webroot's absolute path as well as give the attacker the location of application include files or configuration information. It may even disclose the portion of code that failed.
ID: 538 Name: File and Directory Information Leaks
URL: http://cwe.mitre.org/data/definitions/538.html
ID: 539 Name: Information Leak Through Persistent Cookies
URL: http://cwe.mitre.org/data/definitions/539.html
Persistent cookies are cookies that are stored on the browser's hard drive. This can cause security and privacy issues depending on the information stored in the cookie and how it is accessed.
ID: 540 Name: Information Leak Through Source Code
URL: http://cwe.mitre.org/data/definitions/540.html
There are situations where it is critical to remove source code from an area or server. For example, obtaining Perl source code on a system allows an attacker to view the logic of the script and extract extremely useful information such as code bugs or logins and passwords.
ID: 541 Name: Information Leak Through Include Source Code
URL: http://cwe.mitre.org/data/definitions/541.html
If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.
ID: 542 Name: Information Leak Through Cleanup Log Files
URL: http://cwe.mitre.org/data/definitions/542.html
A cleanup log file is accessible over the internet
ID: 549 Name: Missing Password Field Masking
URL: http://cwe.mitre.org/data/definitions/549.html
The software fails to mask passwords during entry increasing the potential for attackers to observe and capture passwords.
ID: 598 Name: Information Leak Through GET Request
URL: http://cwe.mitre.org/data/definitions/598.html
An area of the web application that possibly contains sensitive information or access to privileged functionality such as remote site administration functionality utilizes query strings to pass information between pages. Information in query strings is directly visible to the end user via the browser interface, which can cause security issues.

More information is available — Please select a different filter.
Page Last Updated: January 17, 2017