CWE - CWE-215: Information Leak Through Debug Information (1.4)

Home > CWE List > CWE- Individual Dictionary Definition (1.4)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-215: Information Leak Through Debug Information

Individual Definition in a New Window

Information Leak Through Debug Information

Status: Draft

Weakness ID: 215 (Weakness Variant)

Description

Summary

The application contains debugging code that can leak sensitive information to untrusted parties.

Time of Introduction

Architecture and Design

Implementation

Operation

Applicable Platforms

Languages

All

Demonstrative Examples

The following code reads a "debugEnabled" system property and writes sensitive debug information to the client browser if true.

JSP Example:

<% if (Boolean.getBoolean("debugEnabled")) {

User account number: <%= acctNo %>

} %>

Observed Examples

Reference	Description
CVE-2002-0918	CGI script includes sensitive information in debug messages when an error is triggered.
CVE-2003-1078	FTP client with debug option enabled shows password to the screen.
CVE-2004-2268	Debug information infoleak of password.

Potential Mitigations

Do not leave debug statements that could be executed in the source code. Assure that all debug information is eradicated before releasing the software.

Architecture and Design

Compartmentalize your system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	200	Information Leak (Information Disclosure)	Development Concepts (primary)699 Research Concepts (primary)1000
ChildOf	Category	731	OWASP Top Ten 2004 Category A10 - Insecure Configuration Management	Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOf	Category	717	OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling	Weaknesses in OWASP Top Ten (2007) (primary)629
ParentOf	Weakness Variant	11	ASP.NET Misconfiguration: Creating Debug Binary	Research Concepts (primary)1000

Relationship Notes

This overlaps other categories.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Infoleak Using Debug Information
OWASP Top Ten 2007	A6	CWE More Specific	Information Leakage and Improper Error Handling
OWASP Top Ten 2004	A10	CWE More Specific	Insecure Configuration Management

Content History

Submissions

PLOVER. (Externally Mined)

Modifications

Sean Eidemiller. Cigital. 2008-07-01. (External)

added/updated demonstrative examples

Eric Dalci. Cigital. 2008-07-01. (External)

updated Time_of_Introduction

Veracode. 2008-08-15. (External)

Suggested OWASP Top Ten 2004 mapping

CWE Content Team. MITRE. 2008-09-08. (Internal)

updated Relationships, Relationship_Notes, Taxonomy_Mappings

CWE Content Team. MITRE. 2009-05-27. (Internal)

updated Demonstrative_Examples

Page Last Updated: May 26, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us