With the display_error PHP configuration directive enabled, untrusted sources can see detailed web application environment error messages which include sensitive information that can be used to craft further attacks. Attackers will do anything to collect information in order to design their attack in a more sophisticated way to eventually hack your website or web application, and causing errors to display is a common starting point. Website errors can always occur, but they should be supressed from being displayed back to the public.Examples of common information revealed in errors are path locations — which expose the main directory path (webroot) of your website, or source code debugging errors which could reveal vulnerabilities that could be exploited to gain illegal access to the site. By studying path locations, an attacker can visualize how your website is designed and structured, and make assumptions on where critical files are stored and how to retrieve them in order to break any security mechanisms to eventually gain full control of the website or application, create malware links, and land your site on the Google Blacklist.
There are many options in the configuration settings of PHP for configuring errors and their behavior (when to show up). PHP errors are enabled in order to let the developer understand the cause of a problem how to get it fixed. However, it is highly recommended to turn PHP errors off on production websites in order to avoid leakage of important information. In case something is not working as it should or as expected, you should contact your developer and let them know of the issue.
After resolving the issue that caused the PHP error, it is highly recommended to disable displaying of errors on production — or live — websites. You can disable display_errors from your site’s php.ini, from the PHP code itself or from the .htaccess as follows:
display_errors = ‘off’
log_errors = ‘on’
php_flag display_errors off
php_flag log_errors on
Turn off error reporting using PHP code in your PHP website
error_reporting(0); // Turn off all error reporting
Get the latest content on web security in your inbox each week.
SHARE THIS POST
Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.