Php Display Errors On
Description
Detects when PHP is configured to display errors in production, which can expose sensitive application details to potential attackers. When PHP errors are displayed to users, they may reveal internal paths, database structures, or other confidential system information.
Detection Strategy
• Scans PHP configuration files (php.ini) for the 'display_errors' directive
• Reports a vulnerability if 'display_errors' is set to any value except 'off'
• The configuration is considered vulnerable even if display_errors is set to 'on', '1', or any other enabling value
Vulnerable code example
; PHP configuration file (php.ini)
; Critical security settings
; VULNERABLE: Enables error display in production, could leak sensitive data
display_errors = On✅ Secure code example
; PHP configuration file (php.ini)
; Critical security settings
; Disable error display in production to prevent information disclosure
display_errors = Off
; Log errors instead of displaying them
log_errors = On...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.