CWE - CWE-215: Information Leak Through Debug Information (1.6)

Home > CWE List > CWE- Individual Dictionary Definition (1.6)

CWE-215: Information Leak Through Debug Information

Information Leak Through Debug Information

Weakness ID: 215 (Weakness Variant)

Status: Draft

Description

Description Summary

The application contains debugging code that can leak sensitive information to untrusted parties.

Time of Introduction

Applicable Platforms

Languages

All

Demonstrative Examples

Example 1

The following code reads a "debugEnabled" system property and writes sensitive debug information to the client browser if true.

(Bad Code)

JSP

<% if (Boolean.getBoolean("debugEnabled")) {

User account number: <%= acctNo %>

} %>

Observed Examples

Reference	Description
CVE-2004-2268	Debug information infoleak of password.
CVE-2002-0918	CGI script includes sensitive information in debug messages when an error is triggered.
CVE-2003-1078	FTP client with debug option enabled shows password to the screen.

Potential Mitigations

Phase	Description
	Do not leave debug statements that could be executed in the source code. Assure that all debug information is eradicated before releasing the software.
Architecture and Design	Compartmentalize your system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	200	Information Leak (Information Disclosure)	Development Concepts (primary)699 Research Concepts (primary)1000
ChildOf	Category	717	OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling	Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOf	Category	731	OWASP Top Ten 2004 Category A10 - Insecure Configuration Management	Weaknesses in OWASP Top Ten (2004) (primary)711
ParentOf	Weakness Variant	11	ASP.NET Misconfiguration: Creating Debug Binary	Research Concepts (primary)1000

Relationship Notes

This overlaps other categories.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Infoleak Using Debug Information
OWASP Top Ten 2007	A6	CWE More Specific	Information Leakage and Improper Error Handling
OWASP Top Ten 2004	A10	CWE More Specific	Insecure Configuration Management

Content History

Submissions
Submission Date	Submitter	Organization	Source
	PLOVER		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Sean Eidemiller	Cigital	External
2008-07-01	added/updated demonstrative examples
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time of Introduction
2008-08-15		Veracode	External
2008-08-15	Suggested OWASP Top Ten 2004 mapping
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Relationships, Relationship Notes, Taxonomy Mappings
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Demonstrative Examples

Page Last Updated: October 29, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us