CWE-209: Generation of Error Message Containing Sensitive Information
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product generates an error message that includes sensitive information about its environment, users, or associated data.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data
说明: Often this will either reveal sensitive information which may be used to launch another, more focused attack or disclose private information stored in the server. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of ".." sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query.
潜在缓解措施
阶段: Implementation
阶段: Implementation
描述: Handle exceptions internally and do not display errors containing potentially sensitive information to a user.
阶段: Implementation
策略: Attack Surface Reduction
描述: Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
有效性: Defense in Depth
阶段: Implementation Build and Compilation
策略: Compilation or Build Hardening
描述: Debugging information should not make its way into a production release.
阶段: Implementation Build and Compilation
策略: Environment Hardening
描述: Debugging information should not make its way into a production release.
阶段: System Configuration
描述: Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.
阶段: System Configuration
描述: Create default error pages or messages that do not leak any information.
检测方法
方法: Manual Analysis
This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.
有效性: High
方法: Automated Analysis
Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible.
有效性: Moderate
方法: Automated Dynamic Analysis
有效性: Moderate
方法: Manual Dynamic Analysis
Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
观察示例
参考: CVE-2008-2049
POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness.
参考: CVE-2007-5172
Program reveals password in error message if attacker can trigger certain database errors.
参考: CVE-2008-4638
Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209).
参考: CVE-2008-1579
Existence of user names can be determined by requesting a nonexistent blog and reading the error message.
参考: CVE-2007-1409
Direct request to library file in web application triggers pathname leak in error message.
参考: CVE-2008-3060
Malformed input to login page causes leak of full path when IMAP call fails.
参考: CVE-2005-0603
Malformed regexp syntax leads to information exposure in error message.
参考: CVE-2017-9615
verbose logging stores admin credentials in a world-readablelog file
参考: CVE-2018-1999036
SSH password for private key stored in build log
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
| System Configuration | - |
| Operation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CLASP | - | Accidental leaking of sensitive information through error messages | - |
| OWASP Top Ten 2007 | A6 | Information Leakage and Improper Error Handling | CWE More Specific |
| OWASP Top Ten 2004 | A7 | Improper Error Handling | CWE More Specific |
| OWASP Top Ten 2004 | A10 | Insecure Configuration Management | CWE More Specific |
| The CERT Oracle Secure Coding Standard for Java (2011) | ERR01-J | Do not allow exceptions to expose sensitive information | - |
| Software Fault Patterns | SFP23 | Exposed Data | - |
关键信息
CWE ID: CWE-209
抽象级别: Base
结构: Simple
状态: Draft
利用可能性: High