Information Exposure Through Externally-generated Error Message| ID: 211 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Base |
Description
The software performs an operation that triggers an external
diagnostic or error message that is not directly generated by the software, such
as an error generated by the programming language interpreter that the software
uses. The error can contain sensitive system information.
Enabling Factors for ExploitationPHP applications are often targeted for having this issue when the PHP
interpreter generates the error outside of the application's control.
However, it's not just restricted to PHP, as other languages/environments
exhibit the same issue.
Applicable PlatformsLanguage: OftenLanguage: PHPLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
- Operation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Confidentiality | Read application
data | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| System Configuration | | Configure the application's environment in a way that prevents errors
from being generated. For example, in PHP, disable
display_errors. | | |
| ImplementationBuild and Compilation | Compilation or Build HardeningEnvironment Hardening | Debugging information should not make its way into a production
release. | | |
| Implementation | | Handle exceptions internally and do not display errors containing
potentially sensitive information to a user. Create default error pages
if necessary. | | |
| Implementation | | The best way to prevent this weakness during implementation is to
avoid any bugs that could trigger the external error message. This
typically happens when the program encounters fatal errors, such as a
divide-by-zero. You will not always be able to control the use of error
pages, and you might not be using a language that handles
exceptions. | | |
RelationshipsThis is inherently a resultant vulnerability from a weakness within the
product or an interaction error.
| Related CWE | Type | View | Chain |
|---|
| CWE-211 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2004-1581 : chain: product does not protect against direct request of an include file, leading to resultant path disclosure when the include file does not successfully execute.
- CVE-2004-1579 : Single "'" inserted into SQL query leads to invalid SQL query execution, triggering full path disclosure. Possibly resultant from more general SQL injection issue.
- CVE-2005-0459 : chain: product does not protect against direct request of a library file, leading to resultant path disclosure when the file does not successfully execute.
- CVE-2005-0443 : invalid parameter triggers a failure to find an include file, leading to infoleak in error message.
- CVE-2005-0433 : Various invalid requests lead to information leak in verbose error messages describing the failure to instantiate a class, open a configuration file, or execute an undefined function.
- CVE-2004-1101 : Improper handling of filename request with trailing "/" causes multiple consequences, including information leak in Visual Basic error message.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Product-External Error Message Infoleak | |
References:None
