← Back to glossary

Information Disclosure

Security CWE-200 OWASP A5:2021 CVSS 5.3 PHP 5.0+ Beginner

debt(d5/e3/b3/t7)

d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list owasp-zap, lighthouse, and semgrep — all specialist tools. Common patterns like display_errors=On or phpinfo() accessible are detectable by these tools but won't be caught by a default linter or compiler; they require deliberate scanning with a DAST or SAST tool against a running or static codebase.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix is a targeted set of ini/config changes (display_errors=Off, expose_php=Off, log_errors=On) plus wrapping exceptions to return generic messages. This is slightly more than a single-line patch because it touches php.ini, exception handlers, and potentially HTTP header configuration, but it stays within one component or deployment config layer — no cross-cutting refactor required.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). The applies_to scope is web contexts, and the fixes (config flags, exception handlers, header removal) are localised to deployment configuration and error-handling layers. It doesn't impose a persistent productivity tax across many work streams, but it does require ongoing discipline to not regress (e.g. adding new API endpoints that leak stack traces), justifying a slight upward nudge to b3.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field explicitly captures the canonical wrong belief: developers assume only passwords and PII constitute information disclosure, while stack traces, server version headers, and phpinfo() outputs are treated as harmless. This contradicts standard security thinking and is a widely held wrong assumption that can persist until a breach occurs — not catastrophic in the 't9 obvious way is always wrong' sense, but a serious belief that contradicts how security professionals frame the concept.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-08 · reviewed by human

Also Known As

data leakage information leakage data exposure

TL;DR

Unintentional leakage of sensitive data — stack traces, version numbers, internal paths — aids attackers in crafting targeted exploits.

Explanation

Information disclosure vulnerabilities range from verbose error messages that reveal database structure and file paths, to response headers advertising framework versions, to source code accessible via backup file extensions (.php.bak, .php~). Even small disclosures aid attackers in fingerprinting the stack. Mitigate by disabling display_errors in production, implementing a custom error handler, reviewing response headers with expose_php=Off, and auditing for accessible backup files.

Common Misconception

✗ Only highly sensitive data like passwords matters in information disclosure. Stack traces, server versions, internal IP addresses, and verbose error messages routinely help attackers fingerprint systems and plan targeted attacks.

Why It Matters

Leaked server versions, stack traces, or directory listings give attackers a precise map of attack surface — turning reconnaissance from days into seconds.

Common Mistakes

Displaying detailed PHP error messages (with file paths and line numbers) in production.
Exposing X-Powered-By, Server, and X-Generator headers that reveal technology stack and versions.
Leaving phpinfo() or test scripts accessible in the webroot.
Stack traces in API error responses that reveal internal class names, file paths, and query structure.

Code Examples

✗ Vulnerable

// Stack trace exposed to the user
try {
    $result = $this->process($data);
} catch (\Throwable $e) {
    return response()->json([
        'error' => $e->getMessage(),
        'trace' => $e->getTrace(), // reveals file paths, class names
    ], 500);
}

✓ Fixed

try {
    $result = $this->process($data);
} catch (\Throwable $e) {
    $this->logger->error('Process failed', [
        'exception' => $e->getMessage(),
        'trace'     => $e->getTraceAsString(),
    ]);
    // Generic message to the user — no internals leaked
    return response()->json(['error' => 'An internal error occurred.'], 500);
}

// php.ini:
// display_errors = Off
// expose_php     = Off  ← removes X-Powered-By: PHP/8.x header

Tags

owasp-top10 misconfiguration cwe-200

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,506 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

PetalBot 1

Scrapy 24 ChatGPT 21 Perplexity 14 Amazonbot 9 Google 8 Ahrefs 8 SEMrush 4 Unknown AI 3 Majestic 1 Claude 1 Meta AI 1 Bing 1 PetalBot 1

Also referenced

Security Misconfiguration 98 Sensitive Data Exposure 64 Directory Listing Enabled 46

How they use it

crawler 92 crawler_json 3 pre-tracking 1

Related categories

security 7.9k

⚡ DEV INTEL Tools & Severity

🟡 Medium ⚙ Fix effort: Low

⚡ Quick Fix

Set display_errors=Off, log_errors=On, expose_php=Off in production; catch all exceptions and return generic error messages to users

📦 Applies To

PHP 5.0+ web

🔗 Prerequisites

Security Misconfiguration php.ini Security Settings Error Handling in PHP

🔍 Detection Hints

display_errors=On or phpinfo() accessible or stack traces visible in HTTP responses

Auto-detectable: ✓ Yes owasp-zap lighthouse semgrep

⚠ Related Problems

Privilege Escalation

🤖 AI Agent

Confidence: High False Positives: Medium ✗ Manual fix Fix: Medium Context: File Tests: Update

CWE-200 CWE-209