Read Time:46 Second
Description
The application inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
When debugging, it may be necessary to report detailed information to the programmer. However, if the debugging code is not disabled when the application is operating in a production environment, then this sensitive information may be exposed to attackers.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
Consequences
Confidentiality: Read Application Data
Potential Mitigations
Phase: Implementation
Description:
Do not leave debug statements that could be executed in the source code. Ensure that all debug information is eradicated before releasing the software.
Phase: Architecture and Design
Description:
CVE References
- CVE-2004-2268
- Password exposed in debug information.
- CVE-2002-0918
- CGI script includes sensitive information in debug messages when an error is triggered.
- CVE-2003-1078
- FTP client with debug option enabled shows password to the screen.