Leakage of sensitive information in exception message

Description

Leakage of sensitive information in exception messages poses a significant security risk. When an exception message is printed to the default output, it might reveal sensitive details about your application's technical setup or environment. This could potentially open the door to attacks, such as path traversal. Even more concerning is the possibility of exposing user-specific data, which could lead to serious privacy breaches.

Remediations

  • Do not print the full stack trace to the default output. This can inadvertently reveal sensitive information.
    echo $e->getTrace(); // unsafe
  • Do log only the essential details required for error messages. This minimizes the risk of sensitive data exposure.

References

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_information_leakage

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_information_leakage