Error page path disclosure
Description
This vulnerability occurs when application error messages expose internal file system paths to users. When errors are not properly handled, the application may reveal absolute directory paths, framework locations, or server configuration details through stack traces, warning messages, or debug output.
Invicti identified one or more fully qualified path names disclosed in error responses. These path disclosures reveal information about the web server's file system structure and application architecture. Review the 'Attack details' section to see the specific paths that were exposed.
Remediation
Configure the application to display generic error messages to users while logging detailed error information securely on the server side. Implement the following measures:
1. Disable detailed error messages in production:
Ensure debug mode and verbose error reporting are disabled in production environments.
For PHP applications, set in php.ini:
display_errors = Off log_errors = On error_log = /var/log/php_errors.log
For ASP.NET applications, configure web.config:
<system.web> <customErrors mode="On" defaultRedirect="~/Error.html" /> </system.web>
For Java applications, configure custom error pages in web.xml:
<error-page> <exception-type>java.lang.Exception</exception-type> <location>/error.jsp</location> </error-page>
2. Implement custom error handlers:
Create user-friendly error pages that provide helpful information without exposing technical details.
3. Log errors securely:
Ensure detailed error information, including stack traces and paths, is logged to secure server-side log files with appropriate access controls.
4. Review application configuration:
Verify that all frameworks, libraries, and application servers are configured for production use with security-focused settings.