CWE-209 Detail

CWE-209

Generation of Error Message Containing Sensitive Information
Hoog
Draft
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Meldingen voor een CWE
Blijf op de hoogte van wijzigingen voor een specifieke CWE.
Meldingen beheren

Naam: Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

Algemene informatie

Introductiemodi

Architecture and Design
Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
System Configuration
Operation

Toepasselijke platforms

Taal

Name: PHP (Often)
Name: Java (Often)
Class: Not Language-Specific (Undetermined)

Technologieën

Class: Not Technology-Specific (Undetermined)

Veelvoorkomende gevolgen

Bereik Impact Waarschijnlijkheid
ConfidentialityRead Application Data

Note: Often this will either reveal sensitive information which may be used to launch another, more focused attack or disclose private information stored in the server. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of ".." sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query.

Waargenomen voorbeelden

Referenties Beschrijving

CVE-2008-2049

POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness.

CVE-2007-5172

Program reveals password in error message if attacker can trigger certain database errors.

CVE-2008-4638

Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209).

CVE-2008-1579

Existence of user names can be determined by requesting a nonexistent blog and reading the error message.

CVE-2007-1409

Direct request to library file in web application triggers pathname leak in error message.

CVE-2008-3060

Malformed input to login page causes leak of full path when IMAP call fails.

CVE-2005-0603

Malformed regexp syntax leads to information exposure in error message.

CVE-2017-9615

verbose logging stores admin credentials in a world-readablelog file

CVE-2018-1999036

SSH password for private key stored in build log

Mogelijke risicobeperkingen

Phases : Implementation
Phases : Implementation
Handle exceptions internally and do not display errors containing potentially sensitive information to a user.
Phases : Implementation
Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Phases : Implementation // Build and Compilation
Debugging information should not make its way into a production release.
Phases : Implementation // Build and Compilation
Debugging information should not make its way into a production release.
Phases : System Configuration
Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.
Phases : System Configuration
Create default error pages or messages that do not leak any information.

Detectiemethoden

Manual Analysis

This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.
Effectiviteit : High

Automated Analysis

Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible.
Effectiviteit : Moderate

Automated Dynamic Analysis

Effectiviteit : Moderate

Manual Dynamic Analysis

Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Notities kwetsbaarheidsmapping

Rechtvaardiging : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Opmerking : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Gerelateerde aanvalspatronen

CAPEC-ID Naam aanvalspatroon
CAPEC-215 Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.
CAPEC-463 Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-54 Query System for Information
An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.
CAPEC-7 Blind SQL Injection
Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.

Notities


Referenties

REF-174

Information Leakage
Web Application Security Consortium.
http://projects.webappsec.org/w/page/13246936/Information%20Leakage

REF-175

Secure Programming with Static Analysis
Brian Chess, Jacob West.

REF-176

Writing Secure Code
Michael Howard, David LeBlanc.

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-179

Top 25 Series - Rank 16 - Information Exposure Through an Error Message
Johannes Ullrich.
https://www.sans.org/blog/top-25-series-rank-16-information-exposure-through-an-error-message

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-18

The CLASP Application Security Process
Secure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf

Indiening

Naam Organisatie Datum Releasedatum Version
CLASP 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Wijzigingen

Naam Organisatie Datum Opmerking
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
Veracode 2008-08-15 +00:00 Suggested OWASP Top Ten 2004 mapping
CWE Content Team MITRE 2008-09-08 +00:00 updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2008-10-14 +00:00 updated Relationships
CWE Content Team MITRE 2009-01-12 +00:00 updated Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
CWE Content Team MITRE 2009-03-10 +00:00 updated Demonstrative_Examples, Potential_Mitigations, Relationships
CWE Content Team MITRE 2009-12-28 +00:00 updated Demonstrative_Examples, Name, Potential_Mitigations, References, Time_of_Introduction
CWE Content Team MITRE 2010-02-16 +00:00 updated Detection_Factors, References, Relationships
CWE Content Team MITRE 2010-04-05 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2010-06-21 +00:00 updated Common_Consequences, Detection_Factors, Potential_Mitigations, References
Veracode 2010-09-09 +00:00 Suggested OWASP Top Ten mapping
CWE Content Team MITRE 2010-09-27 +00:00 updated Potential_Mitigations, Relationships
CWE Content Team MITRE 2011-03-29 +00:00 updated Demonstrative_Examples, Observed_Examples, Relationships
CWE Content Team MITRE 2011-06-01 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-06-27 +00:00 updated Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-05-11 +00:00 updated References, Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2013-07-17 +00:00 updated References
CWE Content Team MITRE 2014-06-23 +00:00 updated Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2018-03-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2019-01-03 +00:00 updated Taxonomy_Mappings
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2019-09-19 +00:00 updated Demonstrative_Examples, Observed_Examples
CWE Content Team MITRE 2020-02-24 +00:00 updated Applicable_Platforms, Description, Name, Observed_Examples, References, Relationships, Weakness_Ordinalities
CWE Content Team MITRE 2020-12-10 +00:00 updated Potential_Mitigations, Related_Attack_Patterns
CWE Content Team MITRE 2021-07-20 +00:00 updated Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated Common_Consequences, Description, Diagram, Other_Notes, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Relationships
De informatie die op CVE Find wordt gepresenteerd, is afkomstig van verschillende zorgvuldig geselecteerde referentiebronnen. CVE-gegevens worden geleverd door MITRE Corporation en de National Vulnerability Database (NVD). De Known Exploited Vulnerabilities (KEV)-catalogus is afkomstig van de Cybersecurity and Infrastructure Security Agency (CISA), terwijl EPSS-scores afkomstig zijn van FIRST.org. Daarnaast worden gegevens over softwarezwakheden (CWE) en veelvoorkomende aanvalspatronen (CAPEC) bijgehouden door MITRE Corporation, en informatie over hardware- en softwareconfiguraties (CPE) wordt geleverd door de NVD.