CWE-213 故意性的信息暴露
Intentional Information Exposure
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: unkown
基本描述
A product's design or configuration explicitly requires the publication of information that could be regarded as sensitive by an administrator.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 200 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 200 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Confidentiality | Read Application Data |
示例代码
例
This code displays some information on a web page.
bad JSP
The code displays a user's credit card and social security numbers, even though they aren't absolutely necessary.
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2002-1725 | Script calls phpinfo() | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1725 |
| CVE-2004-0033 | Script calls phpinfo() | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0033 |
| CVE-2003-1181 | Script calls phpinfo() | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1181 |
| CVE-2004-1422 | Script calls phpinfo() | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1422 |
| CVE-2004-1590 | Script calls phpinfo() | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1590 |
| CVE-2003-1038 | Product lists DLLs and full pathnames. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1038 |
| CVE-2005-1205 | Telnet protocol allows servers to obtain sensitive environment information from clients. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1205 |
| CVE-2005-0488 | Telnet protocol allows servers to obtain sensitive environment information from clients. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0488 |
Notes
Relationship
This overlaps other categories because some functionality might be intended by the developer, but is considered a weakness by the user or system administrator. In most cases, it is distinct from CWE-209: Information Exposure Through an Error Message because CWE-209 is often unintended.
Other
It's not always clear whether an information exposure is intentional or not. For example, CVE-2005-3261 identifies a PHP script that lists file versions, but it could be that the developer did not intend for this information to be public, but introduced a direct request issue instead.
Theoretical
In vulnerability theory terms, this covers cases in which the developer's Intended Policy allows the information to be made available, but the information might be in violation of a Universal Policy in which the product's administrator should have control over which information is considered sensitive and therefore should not be exposed.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Intended information leak |
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论