Exposure of Sensitive Information Due to Incompatible Policies

Draft Base

Structure: Simple

Description

The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.

Extended Description

When handling information, the developer must consider whether the information is regarded as sensitive by different stakeholders, such as users or administrators. Each stakeholder effectively has its own intended security policy that the product is expected to uphold. When a developer does not treat that information as sensitive, this can introduce a vulnerability that violates the expectations of the product's users.

Common Consequences 1

Scope: Confidentiality

Impact: Read Application Data

Demonstrative Examples 1

ID : DX-130

This code displays some information on a web page.

Code Example:Bad
JSP
jsp

The code displays a user's credit card and social security numbers, even though they aren't absolutely necessary.

Observed Examples 8

CVE-2002-1725Script calls phpinfo()

CVE-2004-0033Script calls phpinfo()

CVE-2003-1181Script calls phpinfo()

CVE-2004-1422Script calls phpinfo()

CVE-2004-1590Script calls phpinfo()

CVE-2003-1038Product lists DLLs and full pathnames.

CVE-2005-1205Telnet protocol allows servers to obtain sensitive environment information from clients.

CVE-2005-0488Telnet protocol allows servers to obtain sensitive environment information from clients.

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Policy

Requirements

Architecture and Design

Implementation

Related Weaknesses

ChildOf:

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

Taxonomy Mapping

PLOVER

Notes

MaintenanceThis entry is being considered for deprecation. It overlaps many other entries related to information exposures. It might not be essential to preserve this entry, since other key stakeholder policies are covered elsewhere, e.g. personal privacy leaks (Exposure of Private Personal Information to an Unauthorized Actor) and system-level exposures that are important to system administrators (Exposure of Sensitive System Information to an Unauthorized Control Sphere).

TheoreticalIn vulnerability theory terms, this covers cases in which the developer's Intended Policy allows the information to be made available, but the information might be in violation of a Universal Policy in which the product's administrator should have control over which information is considered sensitive and therefore should not be exposed.