CWE - CWE-211: Information Exposure Through External Error Message (2.1)

Home > CWE List > CWE- Individual Dictionary Definition (2.1)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents
FAQs

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS
CWRAF
T-Shirt

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Coverage Claims Representation
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-211: Information Exposure Through External Error Message

Information Exposure Through External Error Message

Weakness ID: 211 (Weakness Base)

Status: Incomplete

Description

Description Summary

The software performs an operation that triggers an external diagnostic or error message that is not directly generated by the software, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information.

Time of Introduction

Architecture and Design
Implementation
Operation

Applicable Platforms

Languages

PHP: (Often)

All

Common Consequences

Scope	Effect
Confidentiality	Technical Impact: Read application data

Enabling Factors for Exploitation

PHP applications are often targeted for having this issue when the PHP interpreter generates the error outside of the application's control. However, it's not just restricted to PHP, as other languages/environments exhibit the same issue.

Observed Examples

Reference	Description
CVE-2004-1581	chain: product does not protect against direct request of an include file, leading to resultant path disclosure when the include file does not successfully execute.
CVE-2004-1579	Single "'" inserted into SQL query leads to invalid SQL query execution, triggering full path disclosure. Possibly resultant from more general SQL injection issue.
CVE-2005-0459	chain: product does not protect against direct request of a library file, leading to resultant path disclosure when the file does not successfully execute.
CVE-2005-0443	invalid parameter triggers a failure to find an include file, leading to infoleak in error message.
CVE-2005-0433	Various invalid requests lead to information leak in verbose error messages describing the failure to instantiate a class, open a configuration file, or execute an undefined function.
CVE-2004-1101	Improper handling of filename request with trailing "/" causes multiple consequences, including information leak in Visual Basic error message.

Potential Mitigations

Phase: System Configuration

Configure the application's environment in a way that prevents errors from being generated. For example, in PHP, disable display_errors.

Phases: Implementation; Build and Compilation

Strategies: Compilation or Build Hardening; Environment Hardening

Debugging information should not make its way into a production release.

Phase: Implementation

Handle exceptions internally and do not display errors containing potentially sensitive information to a user. Create default error pages if necessary.

Phase: Implementation

The best way to prevent this weakness during implementation is to avoid any bugs that could trigger the external error message. This typically happens when the program encounters fatal errors, such as a divide-by-zero. You will not always be able to control the use of error pages, and you might not be using a language that handles exceptions.

Weakness Ordinalities

Ordinality	Description
Resultant	(where the weakness is typically related to the presence of some other weaknesses)

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Base	209	Information Exposure Through an Error Message	Development Concepts (primary)699 Research Concepts (primary)1000

Relationship Notes

This is inherently a resultant vulnerability from a weakness within the product or an interaction error.

Functional Areas

Error handling

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Product-External Error Message Infoleak

Content History

Submissions
Submission Date	Submitter	Organization	Source
	PLOVER		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time_of_Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings
2008-10-14	CWE Content Team	MITRE	Internal
2008-10-14	updated Description
2008-11-24	CWE Content Team	MITRE	Internal
2008-11-24	updated Description, Enabling_Factors_for_Exploitation, Functional_Areas, Observed_Examples, Other_Notes, Potential_Mitigations, Relationship_Notes, Weakness_Ordinalities
2010-06-21	CWE Content Team	MITRE	Internal
2010-06-21	updated Potential_Mitigations
2010-12-13	CWE Content Team	MITRE	Internal
2010-12-13	updated Observed_Examples
2011-03-29	CWE Content Team	MITRE	Internal
2011-03-29	updated Name
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Common_Consequences
Previous Entry Names
Change Date	Previous Entry Name
2011-03-29	Product-External Error Message Information Leak

Page Last Updated: September 12, 2011


	CWE is a Software Assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2012, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us