Information Exposure

[dpfaffenbauer]

Problem Statement
Internal error messages and stack traces are returned directly to the client in case of server errors.

Description

• Exception messages and full stack traces are embedded directly into HTML responses.
• Internal implementation details leave the server trust boundary.

Example

CoreShop/src/CoreShop/Bundle/OrderBundle/Controller/OrderInvoiceController.php

Line 189 in 3fcd9fb

$responseData = '<strong>' . $e->getMessage() . '</strong><br>trace: ' . $e->getTraceAsString();

CoreShop/src/CoreShop/Bundle/OrderBundle/Controller/OrderShipmentController.php

Line 185 in 3fcd9fb

$responseData = '<strong>' . $e->getMessage() . '</strong><br>trace: ' . $e->getTraceAsString();

Impact

• Disclosure of internal classes, file paths, and control flow.
• Easier analysis of the application architecture.
• Reduced effort for targeted follow-up attacks.

Mitigation

• Do not return exception messages or stack traces to clients.
• Use generic error messages in responses.
• Log detailed error information exclusively on the server side.

@raphael-kat @papillo-solutions