logo

Omission of Security-relevant Information

Draft Base
Structure: Simple
Description

The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.

Common Consequences 1
Scope: Non-Repudiation

Impact: Hide Activities

The source of an attack will be difficult or impossible to determine. This can allow attacks to the system to continue without notice.
Demonstrative Examples 2

ID : DX-174

This code logs suspicious multiple login attempts.

Code Example:

Bad
PHP
php
This code only logs failed login attempts when a certain limit is reached. If an attacker knows this limit, they can stop their attack from being discovered by avoiding the limit.

ID : DX-175

This code prints the contents of a file if a user has permission.

Code Example:

Bad
PHP
php

//resolve file if its a symbolic link* if(is_link($filename)){ ``` $realFile = readlink($filename); } if(fileowner($realFile) == $user){ echo file_get_contents($realFile); return; } else{ echo 'Access denied'; writeLog($user . ' attempted to access the file '. $filename . ' on '. date('r')); } }

While the code logs a bad access attempt, it logs the user supplied name for the file, not the canonicalized file name. An attacker can obscure their target by giving the script the name of a link to the file they are attempting to access. Also note this code contains a race condition between the is_link() and readlink() functions (Race Condition Enabling Link Following).
  
Observed Examples 3
CVE-1999-1029Login attempts are not recorded if the user disconnects before the maximum number of tries.
CVE-2002-1839Sender's IP address not recorded in outgoing e-mail.
CVE-2000-0542Failed authentication attempts are not recorded if later attempt succeeds.
  
References 1
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
 
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 Not Language-Specific : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Architecture and Design  
 
  Implementation  
 
  Operation  
 
 
 
          
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Information Loss or Omission (CWE-221) 
 
 
 
 
Taxonomy Mapping 
  • PLOVER