ABSTRACT

Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack.

EXPLANATION

An information leak occurs when system data or debugging information leaves the program through an output stream or logging function.

Example: The following code prints the SAPFTP version information on the screen:


...
CALL FUNCTION 'FTP_VERSION'
...
IMPORTING
EXEPATH = p
VERSION = v
WORKING_DIR = dir
RFCPATH = rfcp
RFCVERSION = rfcv
TABLES
FTP_TRACE = FTP_TRACE.

WRITE: 'exepath: ', p, 'version: ', v, 'working_dir: ', dir, 'rfcpath: ', rfcp, 'rfcversion: ', rfcv.
...


Depending upon the configuration of the selection screen, this information can be dumped to a screen or sent directly to a printer. In some cases the version information tells the attacker precisely what sort of an attack the system will be vulnerable to. In the same manner, error messages can tell the attacker what attack the system is vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A6 Information Leakage and Improper Error Handling

[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3620 CAT II

[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 497

[4] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Information Leakage

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.5

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.6