Description
The application exposes database names through error messages, configuration files, or other publicly accessible resources. Database names can provide attackers with valuable reconnaissance information about the application's backend infrastructure, making targeted attacks more effective.
Remediation
Take the following steps to prevent database name disclosure:
1. Review error handling: Ensure database errors are caught and generic error messages are displayed to users. Log detailed errors server-side only.
2. Secure configuration files: Move database configuration files outside the web root or restrict access using web server configurations:
# Apache .htaccess example
<FilesMatch "\.(ini|conf|config|yml|yaml)$">
Require all denied
</FilesMatch>
# Nginx example
location ~* \.(ini|conf|config|yml|yaml)$ {
deny all;
}3. Remove sensitive files: Delete any backup files, documentation, or configuration samples from production servers that may contain database names.
4. Implement custom error pages: Configure your application framework to use generic error pages that do not reveal technical details about the database or application structure.
References
Related Vulnerabilities
WordPress Plugin Easy Author Image Information Disclosure (1.5)
WordPress Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3128)
PHP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2010-1864)
WordPress Plugin MiwoFTP-File & Folder Manager Arbitrary File Download (1.0.5)
WordPress Plugin Correos Woocommerce Arbitrary File Download (1.3.0.0)