CWE-211: Externally-Generated Error Message Containing Sensitive Information
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data
潜在缓解措施
阶段: System Configuration
描述: Configure the application's environment in a way that prevents errors from being generated. For example, in PHP, disable display_errors.
阶段: Implementation Build and Compilation
策略: Compilation or Build Hardening
描述: Debugging information should not make its way into a production release.
阶段: Implementation Build and Compilation
策略: Environment Hardening
描述: Debugging information should not make its way into a production release.
阶段: Implementation
描述: Handle exceptions internally and do not display errors containing potentially sensitive information to a user. Create default error pages if necessary.
阶段: Implementation
描述: The best way to prevent this weakness during implementation is to avoid any bugs that could trigger the external error message. This typically happens when the program encounters fatal errors, such as a divide-by-zero. You will not always be able to control the use of error pages, and you might not be using a language that handles exceptions.
观察示例
参考: CVE-2004-1581
chain: product does not protect against direct request of an include file, leading to resultant path disclosure when the include file does not successfully execute.
参考: CVE-2004-1579
Single "'" inserted into SQL query leads to invalid SQL query execution, triggering full path disclosure. Possibly resultant from more general SQL injection issue.
参考: CVE-2005-0459
chain: product does not protect against direct request of a library file, leading to resultant path disclosure when the file does not successfully execute.
参考: CVE-2005-0443
invalid parameter triggers a failure to find an include file, leading to infoleak in error message.
参考: CVE-2005-0433
Various invalid requests lead to information leak in verbose error messages describing the failure to instantiate a class, open a configuration file, or execute an undefined function.
参考: CVE-2004-1101
Improper handling of filename request with trailing "/" causes multiple consequences, including information leak in Visual Basic error message.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | PHP applications are often targeted for having this issue when the PHP interpreter generates the error outside of the application's control. However, other languages/environments exhibit the same issue. |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
| Operation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Product-External Error Message Infoleak | - |