CWE-211: Information Exposure Through Externally-generated Error Message
Weakness ID: 211
The software performs an operation that triggers an external diagnostic or error message that is not directly generated by the software, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information.
Time of Introduction
Architecture and Design
Technical Impact: Read application
Enabling Factors for Exploitation
PHP applications are often targeted for having this issue when the PHP
interpreter generates the error outside of the application's control.
However, it's not just restricted to PHP, as other languages/environments
exhibit the same issue.
Improper handling of filename request with
trailing "/" causes multiple consequences, including information leak in
Visual Basic error message.
Phase: System Configuration
Configure the application's environment in a way that prevents errors
from being generated. For example, in PHP, disable
Phases: Implementation; Build and Compilation
Strategies: Compilation or Build Hardening; Environment Hardening
Debugging information should not make its way into a production
Handle exceptions internally and do not display errors containing
potentially sensitive information to a user. Create default error pages
The best way to prevent this weakness during implementation is to
avoid any bugs that could trigger the external error message. This
typically happens when the program encounters fatal errors, such as a
divide-by-zero. You will not always be able to control the use of error
pages, and you might not be using a language that handles
the weakness is typically related to the presence of some other