Detailed Server Configuration

Detailed Server Configuration

Overview of the Vulnerability

Visible detailed error pages are a result of improper error handling which introduces a variety of security problems for a website. Detailed internal error messages, such as error codes, stack traces and database dumps, can be displayed publicly, leaking implementation information.

The detailed server configuration leaked by this application shows which versions of software are running, physical paths, environmental variables, and the software configuration settings. An attacker can collect this data and combine it with other attack vectors to increase the severity and impact of malicious attacks on the application or exploit specific versions of software that have known vulnerabilities.

Business Impact

This vulnerability can impact customers’ trust in the application which can result in reputational damage for the business and indirect financial losses.

Steps to Reproduce

1. Use a browser to navigate to: {{URL}}

2. Observe detailed error message showing detailed server configuration

Proof of Concept (PoC)

The following screenshot shows the data disclosed in the detailed server configuration:

{{screenshot}}

Recommendation(s)

It is best practice to create a policy around what occurs when an error is made in the application, detailing what information is sent to the user and what information is logged. This policy should be circulated across all development teams so that their code adheres to the policy.

When an error occurs the site should respond with a generic error message to the user that does not display internal details about the error or the underlying system.

For more information refer to the following guides relating to this vulnerability:

• https://owasp.org/www-community/Improper_Error_Handling

• https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html

• https://cwe.mitre.org/data/definitions/209.html