CWE - CWE-211: Product-External Error Message Information Leak (1.6)

Home > CWE List > CWE- Individual Dictionary Definition (1.6)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-211: Product-External Error Message Information Leak

Product-External Error Message Information Leak

Weakness ID: 211 (Weakness Base)

Status: Incomplete

Description

Description Summary

The software performs an operation that triggers an external diagnostic or error message that is not directly generated by the software, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information.

Time of Introduction

Architecture and Design
Implementation
Operation

Applicable Platforms

Languages

PHP: (Often)

All

Enabling Factors for Exploitation

PHP applications are often targeted for having this issue when the PHP interpreter generates the error outside of the application's control. However, it's not just restricted to PHP, as other languages/environments exhibit the same issue.

Observed Examples

Reference	Description
CVE-2004-1581	chain: product does not protect against direct request of an include file, leading to resultant path disclosure when the include file does not successfully execute.
CVE-2004-1579	Single "'" inserted into SQL query leads to invalid SQL query execution, triggering full path disclosure. Possibly resultant from more general SQL injection issue.
CVE-2005-0459	chain: product does not protect against direct request of a library file, leading to resultant path disclosure when the file does not successfully execute.
CVE-2005-0443	invalid parameter triggers a failure to find an include file, leading to infoleak in error message.
CVE-2005-0433	Various invalid requests lead to information leak in verbose error messages describing the failure to instantiate a class, open a configuration file, or execute an undefined function.
CVE-2004-1101	Failure to handle filename request with trailing "/" causes multiple consequences, including information leak in Visual Basic error message.

Potential Mitigations

Phase	Description
System Configuration	Configure the application's environment in a way that prevents errors from being generated. For example, in PHP, disable display_errors.
Build and Compilation	Debugging information should not make its way into a production release.
Implementation	Handle exceptions internally and do not display errors containing potentially sensitive information to a user. Create default error pages if necessary.
Implementation	The best way to prevent this weakness during implementation is to avoid any bugs that could trigger the external error message. This typically happens when the program encounters fatal errors, such as a divide-by-zero. You will not always be able to control the use of error pages, and you might not be using a language that handles exceptions.

Weakness Ordinalities

Ordinality	Description
Resultant	(where the weakness is typically related to the presence of some other weaknesses)

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Base	209	Error Message Information Leak	Development Concepts (primary)699 Research Concepts (primary)1000
CanAlsoBe	Weakness Variant	550	Information Leak Through Server Error Message	Research Concepts1000

Relationship Notes

This is inherently a resultant vulnerability from a weakness within the product or an interaction error.

Functional Areas

Error handling

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Product-External Error Message Infoleak

Content History

Submissions
Submission Date	Submitter	Organization	Source
	PLOVER		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time of Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Applicable Platforms, Relationships, Other Notes, Taxonomy Mappings
2008-10-14	CWE Content Team	MITRE	Internal
2008-10-14	updated Description
2008-11-24	CWE Content Team	MITRE	Internal
2008-11-24	updated Description, Enabling Factors for Exploitation, Functional Areas, Observed Examples, Other Notes, Potential Mitigations, Relationship Notes, Weakness Ordinalities

Page Last Updated: October 29, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us