CWE-211 - Externally-Generated Error Message Containing Sensitive Information

Read Time:1 Minute, 49 Second

Description

The application performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the application, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information.

Modes of Introduction:

– Architecture and Design

Related Weaknesses

CWE-209

Consequences

Confidentiality: Read Application Data

Potential Mitigations

Phase: System Configuration

Description:

Configure the application’s environment in a way that prevents errors from being generated. For example, in PHP, disable display_errors.

Phase: Implementation, Build and Compilation

Description:

Debugging information should not make its way into a production release.

Phase: Implementation, Build and Compilation

Description:

Debugging information should not make its way into a production release.

Phase: Implementation

Description:

Handle exceptions internally and do not display errors containing potentially sensitive information to a user. Create default error pages if necessary.

Phase: Implementation

Description:

The best way to prevent this weakness during implementation is to avoid any bugs that could trigger the external error message. This typically happens when the program encounters fatal errors, such as a divide-by-zero. You will not always be able to control the use of error pages, and you might not be using a language that handles exceptions.

CVE References

CVE-2004-1581
- chain: product does not protect against direct request of an include file, leading to resultant path disclosure when the include file does not successfully execute.

CVE-2004-1579
- Single “‘” inserted into SQL query leads to invalid SQL query execution, triggering full path disclosure. Possibly resultant from more general SQL injection issue.

CVE-2005-0459
- chain: product does not protect against direct request of a library file, leading to resultant path disclosure when the file does not successfully execute.

CVE-2005-0443
- invalid parameter triggers a failure to find an include file, leading to infoleak in error message.

CVE-2005-0433
- Various invalid requests lead to information leak in verbose error messages describing the failure to instantiate a class, open a configuration file, or execute an undefined function.

CVE-2004-1101
- Improper handling of filename request with trailing “/” causes multiple consequences, including information leak in Visual Basic error message.

InCVE-2004-1581, CWE- 211, Externally-Generated Error Message Containing Sensitive Information

This Windows PowerShell Phish Has Scary Potential

Infostealers Cause Surge in Ransomware Attacks, Just One in Three Recover Data

FBI Shuts Down Chinese Botnet

Western Agencies Warn Risk from Chinese-Controlled Botnet

8000 Claimants Sue Outsourcing Giant Capita Over 2023 Data Breach

FCC $200m Cyber Grant Pilot Opens Applications for Schools and Libraries

Cryptojacking Gang TeamTNT Makes a Comeback

Insecure APIs and Bot Attacks Cost Global Firms $186bn

Smashing Security podcast #385: TFL security derailed, and is Trump the king of crypto?

CWE-211 – Externally-Generated Error Message Containing Sensitive Information

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

CWE-669 – Incorrect Resource Transfer Between Spheres

CWE-67 – Improper Handling of Windows Device Names

CWE-670 – Always-Incorrect Control Flow Implementation

CWE-671 – Lack of Administrator Control over Security