[CWE-200] Information Disclosure due to debugging PHP code called in all context (including Production)

[March-M]

Hello,

Issue

There is a clear Information Disclosure vulnerability in file stock.php, line 18, 25, 26, 34, 46, 69 and 79, due to the immediate and unavoiable call to the "pg_last_error()" function in another function that will return his full content to the end user consulting the page (in our case, the die() function).

Remediation

I would recommend you to globally stop the insecure way of acceding to error generated by any DBMS request made by the application and initiating an "Environment-based" check in the code. This way, the code could know if it is deployed in a "Production-ready" environment (and will not call the said code) or a "Debug-enabled" environment (and could call the said code).
The hot-fix (that shouldn't be considered as definitive fix but that can fix the issue right now) would be to remove the information disclosure by removing entierely the use of PG_LAST_ERROR(). In any case those are available in the applicative servers logs anyways in case of need by a dev-team member.