Information Leak Through Log Files |
Weakness ID: 532 (Weakness Variant) | Status: Incomplete |
Description Summary
Extended Description
While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers.
Scope | Effect |
---|---|
Confidentiality | Logging sensitive user data often provides attackers with an additional, less-protected path to acquiring the information. |
Example 1
In the following code snippet, a user's full name and credit card number are written to a log file.
Phases: Architecture and Design; Implementation Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files. |
Phase: Operation Protect log files against unauthorized read/write. |
Phase: Implementation Adjust configurations appropriately when software is transitioned from a debug state to production. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Base | 538 | File and Directory Information Exposure | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | Weakness Base | 552 | Files or Directories Accessible to External Parties | Development Concepts699 Research Concepts1000 |
ChildOf | Category | 731 | OWASP Top Ten 2004 Category A10 - Insecure Configuration Management | Weaknesses in OWASP Top Ten (2004) (primary)711 |
ParentOf | Weakness Variant | 533 | Information Leak Through Server Log Files | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 534 | Information Leak Through Debug Log Files | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 542 | Information Leak Through Cleanup Log Files | Development Concepts (primary)699 Research Concepts (primary)1000 |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
Anonymous Tool Vendor (under NDA) | Externally Mined | |||
Contributions | ||||
Contribution Date | Contributor | Organization | Source | |
2009-07-15 | Fortify Software | Content | ||
Portions of Mitigations, Consequences and Description derived from content submitted by Fortify Software. | ||||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Sean Eidemiller | Cigital | External | |
added/updated demonstrative examples | ||||
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Description, Likelihood of Exploit, Potential Mitigations |