CWE-211
Externally-Generated Error Message Containing Sensitive Information
Description
The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.
Parent Weaknesses (ChildOf)
Common Consequences
Scope
Impact
Read Application Data
Potential Mitigations
Configure the application's environment in a way that prevents errors from being generated. For example, in PHP, disable display_errors.
Debugging information should not make its way into a production release.
Debugging information should not make its way into a production release.
Handle exceptions internally and do not display errors containing potentially sensitive information to a user. Create default error pages if necessary.
The best way to prevent this weakness during implementation is to avoid any bugs that could trigger the external error message. This typically happens when the program encounters fatal errors, such as a divide-by-zero. You will not always be able to control the use of error pages, and you might not be using a language that handles exceptions.
CVE-2004-1581chain: product does not protect against direct request of an include file, leading to resultant path disclosure when the include file does not successfully execute.
CVE-2004-1579Single "'" inserted into SQL query leads to invalid SQL query execution, triggering full path disclosure. Possibly resultant from more general SQL injection issue.
CVE-2005-0459chain: product does not protect against direct request of a library file, leading to resultant path disclosure when the file does not successfully execute.
CVE-2005-0443invalid parameter triggers a failure to find an include file, leading to infoleak in error message.
CVE-2005-0433Various invalid requests lead to information leak in verbose error messages describing the failure to instantiate a class, open a configuration file, or execute an undefined function.
CVE-2004-1101Improper handling of filename request with trailing "/" causes multiple consequences, including information leak in Visual Basic error message.
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now