Information Leak Through Log Files
Weakness ID: 532 (Weakness Variant)Status: Incomplete
+ Description

Description Summary

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Extended Description

While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers.

+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Common Consequences
ScopeEffect
Confidentiality

Logging sensitive user data often provides attackers with an additional, less-protected path to acquiring the information.

+ Likelihood of Exploit

Medium

+ Demonstrative Examples

Example 1

In the following code snippet, a user's full name and credit card number are written to a log file.

(Bad Code)
Example Language: Java 
logger.info("Username: " + usernme + ", CCN: " + ccn);
+ Potential Mitigations

Phases: Architecture and Design; Implementation

Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Phase: Operation

Protect log files against unauthorized read/write.

Phase: Implementation

Adjust configurations appropriately when software is transitioned from a debug state to production.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base538File and Directory Information Exposure
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfWeakness BaseWeakness Base552Files or Directories Accessible to External Parties
Development Concepts699
Research Concepts1000
ChildOfCategoryCategory731OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
Weaknesses in OWASP Top Ten (2004) (primary)711
ParentOfWeakness VariantWeakness Variant533Information Leak Through Server Log Files
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant534Information Leak Through Debug Log Files
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant542Information Leak Through Cleanup Log Files
Development Concepts (primary)699
Research Concepts (primary)1000
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Anonymous Tool Vendor (under NDA)Externally Mined
Contributions
Contribution DateContributorOrganizationSource
2009-07-15Fortify SoftwareContent
Portions of Mitigations, Consequences and Description derived from content submitted by Fortify Software.
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
2009-03-10CWE Content TeamMITREInternal
updated Relationships
2009-07-27CWE Content TeamMITREInternal
updated Common Consequences, Description, Likelihood of Exploit, Potential Mitigations