CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Information Disclosure

security CWE-200 OWASP A5:2021 CVSS 5.3 PHP 5.0+ Beginner

Also Known As

data leakage information leakage data exposure

TL;DR

Unintentional leakage of sensitive data — stack traces, version numbers, internal paths — aids attackers in crafting targeted exploits.

Explanation

Information disclosure vulnerabilities range from verbose error messages that reveal database structure and file paths, to response headers advertising framework versions, to source code accessible via backup file extensions (.php.bak, .php~). Even small disclosures aid attackers in fingerprinting the stack. Mitigate by disabling display_errors in production, implementing a custom error handler, reviewing response headers with expose_php=Off, and auditing for accessible backup files.

Common Misconception

Only highly sensitive data like passwords matters in information disclosure. Stack traces, server versions, internal IP addresses, and verbose error messages routinely help attackers fingerprint systems and plan targeted attacks.

Why It Matters

Leaked server versions, stack traces, or directory listings give attackers a precise map of attack surface — turning reconnaissance from days into seconds.

Common Mistakes

  • Displaying detailed PHP error messages (with file paths and line numbers) in production.
  • Exposing X-Powered-By, Server, and X-Generator headers that reveal technology stack and versions.
  • Leaving phpinfo() or test scripts accessible in the webroot.
  • Stack traces in API error responses that reveal internal class names, file paths, and query structure.

Code Examples

✗ Vulnerable 
// Stack trace exposed to the user
try {
    \$result = \$this->process(\$data);
} catch (\Throwable \$e) {
    return response()->json([
        'error' => \$e->getMessage(),
        'trace' => \$e->getTrace(), // reveals file paths, class names
    ], 500);
}
✓ Fixed 
try {
    \$result = \$this->process(\$data);
} catch (\Throwable \$e) {
    \$this->logger->error('Process failed', [
        'exception' => \$e->getMessage(),
        'trace'     => \$e->getTraceAsString(),
    ]);
    // Generic message to the user — no internals leaked
    return response()->json(['error' => 'An internal error occurred.'], 500);
}

// php.ini:
// display_errors = Off
// expose_php     = Off  ← removes X-Powered-By: PHP/8.x header
Added 15 Mar 2026
Edited 22 Mar 2026
Views 67

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 1 ping M 1 ping T 1 ping W 1 ping T 2 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 2 pings T 2 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T
Agents 0
No pings yet today
ChatGPT 18 Perplexity 12 Amazonbot 8 Ahrefs 6 Google 5 Unknown AI 3 Majestic 1 SEMrush 1
Also referenced
Security Misconfiguration 33 Sensitive Data Exposure 32 Directory Listing Enabled 24
How they use it
crawler 52 crawler_json 1 pre-tracking 1
Related categories
security 4k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Set display_errors=Off, log_errors=On, expose_php=Off in production; catch all exceptions and return generic error messages to users
📦 Applies To
PHP 5.0+ web
🔗 Prerequisites
🔍 Detection Hints
display_errors=On or phpinfo() accessible or stack traces visible in HTTP responses
Auto-detectable: ✓ Yes owasp-zap lighthouse semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: Medium Context: File Tests: Update
CWE-200 CWE-209
✓ schema.org compliant