CWE-615: Inclusion of Sensitive Information in Source Code Comments

Description

While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.

Submission Date :

May 7, 2007, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Extended Description

An attacker who finds these comments can map the application's structure and files, expose hidden parts of the site, and study the fragments of code to reverse engineer the application, which may help develop further attacks against the site.

Example Vulnerable Codes

Example - 1

The following comment, embedded in a JSP, will be displayed in the resulting HTML output.

<!-- FIXME: calling this with more than 30 args kills the JDBC server -->

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-540: Inclusion of Sensitive Information in Source Code

Go to

CWE-546: Suspicious Comment

Go to

Visit http://cwe.mitre.org/ for more details.