CWE-211
Externally-Generated Error Message Containing Sensitive Information
Incomplete
2006-07-19
00h00 +00:00
00h00 +00:00
2024-02-29
00h00 +00:00
00h00 +00:00
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Name: Externally-Generated Error Message Containing Sensitive Information
The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.
General Informations
Modes Of Introduction
Architecture and Design : PHP applications are often targeted for having this issue when the PHP interpreter generates the error outside of the application's control. However, other languages/environments exhibit the same issue.Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Operation
Applicable Platforms
Language
Name: PHP (Often)Class: Not Language-Specific (Undetermined)
Common Consequences
| Scope | Impact | Likelihood |
|---|---|---|
| Confidentiality | Read Application Data |
Observed Examples
| References | Description |
|---|---|
CVE-2004-1581 | chain: product does not protect against direct request of an include file, leading to resultant path disclosure when the include file does not successfully execute. |
CVE-2004-1579 | Single "'" inserted into SQL query leads to invalid SQL query execution, triggering full path disclosure. Possibly resultant from more general SQL injection issue. |
CVE-2005-0459 | chain: product does not protect against direct request of a library file, leading to resultant path disclosure when the file does not successfully execute. |
CVE-2005-0443 | invalid parameter triggers a failure to find an include file, leading to infoleak in error message. |
CVE-2005-0433 | Various invalid requests lead to information leak in verbose error messages describing the failure to instantiate a class, open a configuration file, or execute an undefined function. |
CVE-2004-1101 | Improper handling of filename request with trailing "/" causes multiple consequences, including information leak in Visual Basic error message. |
Potential Mitigations
Phases : System ConfigurationConfigure the application's environment in a way that prevents errors from being generated. For example, in PHP, disable display_errors.
Phases : Implementation // Build and Compilation
Debugging information should not make its way into a production release.
Phases : Implementation // Build and Compilation
Debugging information should not make its way into a production release.
Phases : Implementation
Handle exceptions internally and do not display errors containing potentially sensitive information to a user. Create default error pages if necessary.
Phases : Implementation
The best way to prevent this weakness during implementation is to avoid any bugs that could trigger the external error message. This typically happens when the program encounters fatal errors, such as a divide-by-zero. You will not always be able to control the use of error pages, and you might not be using a language that handles exceptions.
Vulnerability Mapping Notes
Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
NotesNotes
This is inherently a resultant vulnerability from a weakness within the product or an interaction error.Submission
| Name | Organization | Date | Date release | Version |
|---|---|---|---|---|
| PLOVER | Draft 3 |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Description, Enabling_Factors_for_Exploitation, Functional_Areas, Observed_Examples, Other_Notes, Potential_Mitigations, Relationship_Notes, Weakness_Ordinalities | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Observed_Examples | |
| CWE Content Team | MITRE | updated Name | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Name | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships | |
| CWE Content Team | MITRE | updated Description, Name, Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Demonstrative_Examples |
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.