CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-201: Information Exposure Through Sent Data

 
Information Exposure Through Sent Data
Weakness ID: 201 (Weakness Variant)Status: Draft
+ Description

Description Summary

The accidental exposure of sensitive information through sent data refers to the transmission of data which are either sensitive in and of itself or useful in the further exploitation of the system through standard data channels.
+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect

Technical Impact: Read files or directories; Read memory; Read application data

Sensitive data may be exposed to attackers.

+ Demonstrative Examples

Example 1

The following is an actual mysql error statement:

(Result)
Example Language: SQL 
Warning: mysql_pconnect(): Access denied for user: 'root@localhost' (Using password: N1nj4) in /usr/local/www/wi-data/includes/database.inc on line 4
+ Potential Mitigations

Phase: Requirements

Specify which data in the software should be regarded as sensitive. Consider which types of users should have access to which types of data.

Phase: Implementation

Ensure that any possibly sensitive data specified in the requirements is verified with designers to ensure that it is either a calculated risk or mitigated elsewhere. Any information that is not necessary to the functionality should be removed in order to lower both the overhead and the possibility of security sensitive data being sent.

Phase: System Configuration

Setup default error messages so that unexpected errors do not disclose sensitive information.

Phase: Architecture and Design

Strategy: Separation of Privilege

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class200Information Exposure
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory895SFP Cluster: Information Leak
Software Fault Pattern (SFP) Clusters (primary)888
CanAlsoBeWeakness VariantWeakness Variant202Exposure of Sensitive Data Through Data Queries
Research Concepts1000
CanAlsoBeWeakness BaseWeakness Base209Information Exposure Through an Error Message
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPAccidental leaking of sensitive information through sent data
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08MITREInternal
updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
2009-10-29MITREInternal
updated Other_Notes, Potential_Mitigations
2010-09-27MITREInternal
updated Common_Consequences, Description, Name
2010-12-13MITREInternal
updated Common_Consequences
2011-06-01MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated Relationships
2012-10-30MITREInternal
updated Potential_Mitigations
2013-02-21MITREInternal
updated Potential_Mitigations
2014-02-18MITREInternal
updated Related_Attack_Patterns
Previous Entry Names
Change DatePrevious Entry Name
2010-09-27Information Leak Through Sent Data
Page Last Updated: June 23, 2014