PHP : External information leak
Classification
Overview
Possible system configuration information leak. This can help an attacker to plan an attack.
The debug information and error messages depending on the system settings can be written to the log, displayed in the console, or sent to the user. In some cases, an attacker can make a conclusion about the vulnerabilities of the system based on an error message. For example, a database error can indicate the insecurity against attacks such as SQL injection. Information about the version of the operating system, application server and system configuration can also be valuable to the attacker.
In this case, we are talking about the external leak: information about the system is transferred to another machine over the network. External leaks are more dangerous than internal ones.
References
- OWASP Top 10 2017-A3-Sensitive Data Exposure
- OWASP Top 10 2017-A6-Security Misconfiguration
- OWASP Top 10 2013-A5-Security Misconfiguration
- OWASP Top 10 2013-A6-Sensitive Data Exposure
- CWE-497: Exposure of System Data to an Unauthorized Control Sphere
- CWE CATEGORY: OWASP Top Ten 2017 Category A5 - Broken Access Control
- CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-209: Generation of Error Message Containing Sensitive Information