CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.4)  

CWE-548: Information Leak Through Directory Listing

Individual Definition in a New Window
Information Leak Through Directory Listing
Status: Draft
Weakness ID: 548 (Weakness Variant)
+ Description
Summary

A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.

+ Time of Introduction
* Implementation
* Operation
+ Potential Mitigations

Recommendations include restricting access to important directories or files by adopting a need to know requirement for both the document and server root, and turning off features such as Automatic Directory Listings that could expose private files and provide information that could be utilized by an attacker when formulating or conducting an attack.

+ Other Notes

A directory listing provides an attacker with the complete index of all the resources located inside of the directory. Such an exposure can lead to an attacker gaining access to source code, providing useful information for the attacker to devise exploits. The directory listing may also compromise private or confidential data. The specific risks and consequences vary depending on the specific files that are listed and accessible.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness BaseWeakness Base538File and Directory Information Leaks
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfWeakness BaseWeakness BaseWeakness Base552Files or Directories Accessible to External Parties
Research Concepts1000
ChildOfCategoryCategory731OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
Weaknesses in OWASP Top Ten (2004) (primary)711
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
Anonymous Tool Vendor (under NDA)   
OWASP Top Ten 2004A10CWE More SpecificInsecure Configuration Management
+ Content History
Submissions
Anonymous Tool Vendor (under NDA). (Externally Mined)
Modifications
Eric Dalci. Cigital. 2008-07-01. (External)
updated Time_of_Introduction
Veracode. 2008-08-15. (External)
Suggested OWASP Top Ten 2004 mapping
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team. MITRE. 2008-10-14. (Internal)
updated Other_Notes
Page Last Updated: May 26, 2009