PHP display_errors is on

The display_error setting in PHP is used to determine whether errors should be printed to the screen or not. The error can be used as a part of the output or can be hidden from the user. There are many servers who have kept the display_errors setting as enabled in PHP. The display_errors directive determines whether error messages should be sent to the browser. The error message might include frequently contained sensitive information about your web application environment, and should never be presented to untrusted sources. Using the error, an attacker can gather information about the server and can use the errors to attack the application. Using errors, an attacker can perform attacks like SQL injection and can view path locations present in the server. If an attacker gets access to the files and folder, he will able to create a clearcut idea about the application and can guess the location of sensitive files. At worst case, the attacker can exploit this vulnerability to gain full access to the server, changes sensitive changes and can also put the applications on search engine blocklists like Google blacklist.

Example

The below code is the working example of display errors.

        <?php
        echo ini_get('display_errors');
        ini_set('display_errors', '0');
        echo ini_get('display_errors');
        ?>

    

The above code will display errors to the browser.

Impact

Using this vulnerability, an attacker can:-

  • manipulate sensitive information
  • leak sensitive information
  • gain administrator access to the web application

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Disable display_errors in php.ini or .htaccess.

php.ini

        display_errors = 'off'
        log_errors = 'on'

    

.htaccess

        php_flag display_errors off
        php_flag log_errors on

    

Latest Articles