|
|
Status: Incomplete Weakness ID: 536 (Weakness Variant)Description Summary A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker. Common Consequences In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system. Potential Mitigations Do not expose sensitive error information to the user. Demonstrative Examples The following servlet code does not catch runtime exceptions, meaning that if such an exception were to occur, the container may display potentially dangerous information (such as a full stack trace). Java Example: public void doPost(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException { String username = request.getParameter("username"); // May cause unchecked NullPointerException. if (username.length() < 10) { ... } }
Other Notes The error message may contain the location of the file in which the offending function is located. This may disclose the web root's absolute path as well as give the attacker the location of application include files or configuration information. It may even disclose the portion of code that failed. Relationships
Taxonomy Mappings
Time of Introduction  ImplementationContent History Submissions Anonymous Tool Vendor (under NDA). (Externally Mined) Modifications Sean Eidemiller. Cigital. 2008-07-01. (External) added/updated demonstrative examples Eric Dalci. Cigital. 2008-07-01. (External) updated Potential_Mitigations, Time_of_Introduction CWE Content Team. MITRE. 2008-09-08. (Internal) updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings |
|
|
|||
