Vulnerabilities/

Detailed Application and Database Error

Impact: Medium

Description

Unhandled exceptions have two primary risks.

Recommendation

You should properly handle all types of exceptions and display a generic error message. You can find more details in the following.

ASP.NET

For ASP.NET, you can disable detailed errors by setting the mode attribute of the customErrors to on or RemoteOnly.

Example configuration:

<configuration>
  <system.web>
    <customErrors defaultRedirect="YourErrorPage.aspx"
                  mode="RemoteOnly">
      <error statusCode="500"
             redirect="InternalErrorPage.aspx"/>
    </customErrors>
  </system.web>
</configuration>

PHP

In PHP you can disable errors by adding the below lines to your code:

ini_set('display_errors', 0);
ini_set('display_startup_errors', 0);
error_reporting(0);

You can also disable error reporting in the php.ini file by using the below config.

display_errors = off

References

Last updated on September 06, 2021

Use SmartScanner Free version to test for this issue

Download