The software does not return custom error pages to the user, possibly exposing sensitive information.
cwe_Nature: ChildOf cwe_CWE_ID: 755 cwe_View_ID: 1000 cwe_Ordinal: Primary
cwe_Nature: CanPrecede cwe_CWE_ID: 209 cwe_View_ID: 1000
|Confidentiality||Read Application Data||Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application.|
In the snippet below, an unchecked runtime exception thrown from within the try block may cause the container to display its default error page (which may contain a full stack trace, among other things).
An insecure ASP.NET application setting:
Custom error message mode is turned off. An ASP.NET error message with detailed stack trace and platform versions will be returned.
Here is a more secure setting:
Custom error message mode for remote users only. No defaultRedirect error page is specified. The local user on the web server will see a detailed stack trace. For remote users, an ASP.NET error message with the server customError configuration setting and the platform version will be returned.