CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.6)  

Presentation Filter:

CWE-213: Intentional Information Exposure

 
Intentional Information Exposure
Weakness ID: 213 (Weakness Base)Status: Draft
+ Description

Description Summary

A product's design or configuration explicitly requires the publication of information that could be regarded as sensitive by an administrator.
+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Confidentiality

Technical Impact: Read application data

+ Demonstrative Examples

Example 1

The JSP code listed below displays a user's credit card and social security numbers in a browser window (even though they aren't absolutely necessary).

(Bad Code)
Example Language: JSP 
Social Security Number: <%= ssn %></br>Credit Card Number: <%= ccn %>
+ Observed Examples
ReferenceDescription
CVE-2002-1725Script calls phpinfo()
CVE-2004-0033Script calls phpinfo()
CVE-2003-1181Script calls phpinfo()
CVE-2004-1422Script calls phpinfo()
CVE-2004-1590Script calls phpinfo()
CVE-2003-1038Product lists DLLs and full pathnames.
CVE-2005-1205Telnet protocol allows servers to obtain sensitive environment information from clients.
CVE-2005-0488Telnet protocol allows servers to obtain sensitive environment information from clients.
+ Other Notes

This overlaps other categories, but it is distinct from the error message infoleaks.

It's not always clear whether an infoleak is intentional or not. For example, CVE-2005-3261 identifies a PHP script that lists file versions, but it could be that the developer did not intend for this information to be public, but introduced a direct request issue instead.

In vulnerability theory terms, this covers cases in which the developer's Intended Policy allows the information to be made available, but the information might be in violation of a Universal Policy in which the product's administrator should have control over which

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class200Information Exposure
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory895SFP Cluster: Information Leak
Software Fault Pattern (SFP) Clusters (primary)888
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERIntended information leak
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other_Notes, Taxonomy_Mappings
2011-03-29CWE Content TeamMITREInternal
updated Name
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2011-03-29Intended Information Leak
Page Last Updated: February 18, 2014