Description
The web application has the Whoops error handler component enabled in a production environment. Whoops is a debugging library designed for development that displays detailed error pages including stack traces, environment variables, request parameters, and application source code when exceptions occur. This verbose error reporting should only be used during development and poses a security risk when exposed to end users.
Remediation
Disable Whoops error handling in production environments and implement generic error pages for end users. Configure the application to log detailed errors server-side for debugging purposes while displaying user-friendly error messages without technical details.
For PHP applications using Whoops, ensure it is only registered in development environments:
if (getenv('APP_ENV') === 'development') {
$whoops = new \Whoops\Run;
$whoops->pushHandler(new \Whoops\Handler\PrettyPageHandler);
$whoops->register();
} else {
// Use production error handler with generic messages
ini_set('display_errors', '0');
error_reporting(E_ALL);
// Log errors to file instead
ini_set('log_errors', '1');
ini_set('error_log', '/var/log/app/errors.log');
}Additionally, remove Whoops from production dependencies by placing it in the development section of your dependency manager (e.g., require-dev in composer.json). Implement custom error pages that provide helpful guidance to users without revealing system internals.
References
Related Vulnerabilities
WordPress Plugin WP Activity Log Information Disclosure (3.1.1)
WordPress Plugin Correos Woocommerce Arbitrary File Download (1.3.0.0)
WordPress Plugin Service Finder-Provider and Business Listing Local File Disclosure (3.0)
Joomla! Core 1.5.x Information Disclosure (1.5.0 - 1.5.12)
WordPress Plugin Timetable and Event Schedule by MotoPress Information Disclosure (2.3.19)