|
|
|
|
CWE-211 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Incomplete 211 (Weakness Base) | | Description | Summary The software performs an operation that triggers a diagnostic or error message that is
not under direct control of the product, e.g. an error generated by the programming language that
the product uses. This is inherently a resultant vulnerability from a weakness within the product
or an interaction error. It might be controllable by configuration, e.g. in PHP error messages. | | Functional Area | Non-specific | | Potential Mitigations | Implementation: Any error should be parsed for dangerous revelations. Build: Debugging information should not make its way into a production release. Handle exceptions internally and do not display errors containing potentially
sensitive information to a user. Create default error pages if necessary. | | Observed Examples | | | Context Notes | Attack: trigger error, monitor responses. PHP applications are often targeted for having this issue when the PHP interpreter
generates the error outside of the application's control. However, it's not just restricted to
PHP, as other languages/environments exhibit the same issue. | | Relationships | | | Source Taxonomies | PLOVER - Product-External Error Message Infoleak | | Applicable Platforms | All |
|
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated
