Revealing Error Message Vulnerability

Over-informative error messages (or error messages not meant for general consumption such as debug messages) can reveal targets or exploits for attack attempts.

Combined with an automated scan and injection attack, a page or application may be purposely fed inappropriate data to try and provoke a revealing error message.

• Enable a configurable “debug” mode such that if such a mode is disabled, only a generic message disclaiming that “an” error happened and perhaps “the administrator has been notified”.

• See web application security and security vulnerabilities catalog.
• PHP Security: Error Reporting