Stack Trace Disclosure (CakePHP)
Description
The application exposes detailed stack traces from the CakePHP framework when errors occur. Stack traces are diagnostic messages that reveal the internal execution flow of the application, including file paths, code snippets, framework version details, and database connection information. When these traces are displayed to end users instead of being logged internally, they create an information disclosure vulnerability that attackers can exploit to map the application's architecture and identify potential weaknesses.
Remediation
Configure CakePHP to suppress detailed error messages in production environments and implement proper error handling:
1. Disable debug mode in production:
Edit config/app.php and ensure debug mode is disabled:
'debug' => filter_var(env('DEBUG', false), FILTER_VALIDATE_BOOLEAN),2. Configure custom error handling:
Implement a custom error handler in
config/bootstrap.php or your error handling configuration:use Cake\Error\ExceptionRenderer;
use Cake\Core\Configure;
if (!Configure::read('debug')) {
// Display generic error page to users
Configure::write('Error', [
'errorLevel' => E_ALL,
'exceptionRenderer' => ExceptionRenderer::class,
'skipLog' => [],
'log' => true,
'trace' => false
]);
}3. Create user-friendly error pages:
Design custom error templates in
templates/Error/ that display generic messages without technical details.4. Implement comprehensive logging:
Ensure all errors are logged to secure server-side files for debugging purposes while preventing exposure to end users. Regularly review error logs to identify and fix underlying issues.