CWE-223: Omission of Security-relevant Information
Description
The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
Submission Date :
July 19, 2006, midnight
Modification Date :
2023-10-26 00:00:00+00:00
Organization :
MITRE
Example - 1
This code logs suspicious multiple login attempts. This code only logs failed login attempts when a certain limit is reached. If an attacker knows this limit, they can stop their attack from being discovered by avoiding the limit.return True;
writeLog("Failed login attempt by User: " . $userName . " at " + date('r') );incrementLoginAttempts($userName);if(recentLoginAttempts($userName) > 5){}if(authenticate($userName,$password)){}else{}function login($userName,$password){}
Example - 2
This code prints the contents of a file if a user has permission. While the code logs a bad access attempt, it logs the user supplied name for the file, not the canonicalized file name. An attacker can obscure their target by giving the script the name of a link to the file they are attempting to access. Also note this code contains a race condition between the is_link() and readlink() functions (CWE-363).
// //resolve file if its a symbolic link//
$realFile = readlink($filename);
echo file_get_contents($realFile);return;
echo 'Access denied';writeLog($user . ' attempted to access the file '. $filename . ' on '. date('r'));$user = getCurrentUser();$realFile = $filename;if(is_link($filename)){}if(fileowner($realFile) == $user){}else{}function readFile($filename){}
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.