Support
Eng
òÕÓ
Company
Home
Services
Solutions
Documentation
News and Events
 
 
 
Knowledgebase
Downloads
Glossary
Ask a Question
Search:     Advanced search
SHALB.com / Security Knowledgebase / Web Application Security / Vulnerability / Logging and Auditing Vulnerability / System Information Leak
server monitoring

System Information Leak
Article ID: 198
Last updated: 09 May, 2008
Print
Email to friend
Views: 469
Posted: 09 May, 2008
by: Tech Pubs S.
Updated: 09 May, 2008
by: Tech Pubs S.

Abstract

Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack.

Description

An information leak occurs when system data or debugging information leaves the program through an output stream or logging function.

Examples

Example 1:

The following code prints the path environment variable to the standard error stream:

	char* path = getenv("PATH");
	... 
	sprintf(stderr, "cannot find exe on path %s\n", path);

Example 2:

The following code prints an exception to the standard error stream:

	try {
		...
	} catch (Exception e) {
		e.printStackTrace();
	}

Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a remote user. In some cases the error message tells the attacker precisely what sort of an attack the system will be vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In the example above, the search path could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.
This article was:   Helpful | Not Helpful
Prev   Next
Poor Logging Practice: Use of a System Output Stream     Password Management Vulnerability

server monitoring

¿ 2010 "SHALB.com" All rights reserved
SHALB Home
Services
Solutions
Documentation
News and Events