CWE-211 通过外部产生的错误消息导致的信息暴露

Information Exposure Through Externally-Generated Error Message

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: unkown

基本描述

The software performs an operation that triggers an external diagnostic or error message that is not directly generated by the software, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 209 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 209 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: [{'cwe_Name': 'PHP', 'cwe_Prevalence': 'Often'}, {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}]

常见的影响

范围 影响 注释
Confidentiality Read Application Data

可能的缓解方案

System Configuration

策略:

Configure the application's environment in a way that prevents errors from being generated. For example, in PHP, disable display_errors.

MIT-40 ['Implementation', 'Build and Compilation']

策略: Compilation or Build Hardening

Debugging information should not make its way into a production release.

MIT-40 ['Implementation', 'Build and Compilation']

策略: Environment Hardening

Debugging information should not make its way into a production release.

Implementation

策略:

Handle exceptions internally and do not display errors containing potentially sensitive information to a user. Create default error pages if necessary.

Implementation

策略:

The best way to prevent this weakness during implementation is to avoid any bugs that could trigger the external error message. This typically happens when the program encounters fatal errors, such as a divide-by-zero. You will not always be able to control the use of error pages, and you might not be using a language that handles exceptions.

分析过的案例

标识 说明 链接
CVE-2004-1581 chain: product does not protect against direct request of an include file, leading to resultant path disclosure when the include file does not successfully execute. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1581
CVE-2004-1579 Single "'" inserted into SQL query leads to invalid SQL query execution, triggering full path disclosure. Possibly resultant from more general SQL injection issue. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1579
CVE-2005-0459 chain: product does not protect against direct request of a library file, leading to resultant path disclosure when the file does not successfully execute. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0459
CVE-2005-0443 invalid parameter triggers a failure to find an include file, leading to infoleak in error message. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0443
CVE-2005-0433 Various invalid requests lead to information leak in verbose error messages describing the failure to instantiate a class, open a configuration file, or execute an undefined function. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0433
CVE-2004-1101 Improper handling of filename request with trailing "/" causes multiple consequences, including information leak in Visual Basic error message. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1101

Notes

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Product-External Error Message Infoleak