CWE-210: Self-generated Error Message Containing Sensitive Information

Read Application Data

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code uses custom configuration files for each user in the application. It checks to see if the file exists on the system before attempting to open and use the file. If the configuration file does not exist, then an error is generated, and the application exits.

Vulnerable example

perl

# avoid CWE-22, CWE-78, others.
$uname = GetUserInput("username");

If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that is not associated with a configuration file, an attacker could get this pathname from the error message. It could then be used to exploit path traversal, symbolic link following, or other problems that may exist elsewhere in the application.

CWE-210: Self-generated Error Message Containing Sensitive Information

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-210?

What CVEs are caused by CWE-210?

How do you prevent CWE-210?

What are the consequences of CWE-210?

Is CWE-210 actively exploited?

References

Stay ahead of CWE-210

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-210?

What CVEs are caused by CWE-210?

How do you prevent CWE-210?

What are the consequences of CWE-210?

Is CWE-210 actively exploited?

References

Stay ahead of CWE-210