X-ChromeLogger-Data (XCOLD) Header Information Leak
- Risk:
Medium
- Type:
- Passive
- CWE:
- CWE-200
- Summary
The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find: server file system locations, vhost declarations, etc.
- Solution
Disable this functionality in Production when it might leak information that could be leveraged by an attacker. Alternatively ensure that use of the functionality is tied to a strong authorization check and only available to administrators or support personnel for troubleshooting purposes not general users.
- Other info
- The following represents an attempt to base64 decode the value: {"version":"4.0","columns":["label","log","backtrace","type"],"rows":[["request","Matched route \"app_security_login\" (parameters: \"_controller\": \"BackEnd\\AppBundle\\Controller\\SecurityController::loginAction\", \"_route\": \"app_security_login\")","unknown","info"],["security","Populated SecurityContext with an anonymous Token","unknown","info"]],"request_uri":"\/login"}
- References
Free security scan for your website