Read Time:46 Second

Description

The application inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.

When debugging, it may be necessary to report detailed information to the programmer. However, if the debugging code is not disabled when the application is operating in a production environment, then this sensitive information may be exposed to attackers.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-200

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

Phase: Implementation

Description: 

Do not leave debug statements that could be executed in the source code. Ensure that all debug information is eradicated before releasing the software.

Phase: Architecture and Design

Description: 

CVE References

  • CVE-2002-0918
    • CGI script includes sensitive information in debug messages when an error is triggered.
  • CVE-2003-1078
    • FTP client with debug option enabled shows password to the screen.