Information Leak Through Comments
Weakness ID: 615 (Weakness Variant)Status: Incomplete
+ Description

Description Summary

While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.

Extended Description

An attacker who finds these comments can map the application's structure and files, expose hidden parts of the site, and study the fragments of code to reverse engineer the application, which may help develop further attacks against the site.

+ Time of Introduction
  • Implementation
+ Demonstrative Examples

Example 1

The following comment, embedded in a JSP, will be displayed in the resulting HTML output.

(Bad Code)
Example Languages: HTML and JSPĀ 
<!-- FIXME: calling this with more than 30 args kills the JDBC server -->
+ Observed Examples
CVE-2007-6197Version numbers and internal hostnames leaked in HTML comments.
CVE-2007-4072CMS places full pathname of server in HTML comment.
CVE-2009-2431blog software leaks real username in HTML comment.
+ Potential Mitigations

Remove comments which have sensitive information about the design/implementation of the application. Some of the comments may be exposed to the user and affect the security posture of the application.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness VariantWeakness Variant540Information Leak Through Source Code
Development Concepts (primary)699
Research Concepts (primary)1000
+ Content History
Submission DateSubmitterOrganizationSource
Anonymous Tool Vendor (under NDA)Externally Mined
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
2008-10-14CWE Content TeamMITREInternal
updated Description
2009-03-10CWE Content TeamMITREInternal
updated Demonstrative Examples
2009-07-27CWE Content TeamMITREInternal
updated Observed Examples, Taxonomy Mappings