====== Revealing Error Message Vulnerability ======

Over-informative error messages (or error messages not meant for general consumption such as debug messages) can reveal targets or exploits for attack attempts.

Combined with an automated scan and injection attack, a page or application may be purposely fed inappropriate data to try and provoke a revealing error message.

===== Remedy =====

  * Enable a configurable "debug" mode such that if such a mode is disabled, only a generic message disclaiming that "an" error happened and perhaps "the administrator has been notified".

===== Additional Information =====

  * See [[security:web_application_security|web application security]] and [[catalog|security vulnerabilities catalog]].
  * [[http://www.php.net/manual/en/security.errors.php|PHP Security: Error Reporting]]