This flaw is due to a nonsecure configuration on any of the servers (web, web service, or database). This includes the infrastructure and not only the application level configurations. As an application security expert, you need to check both the infrastructure level security and the application level as well. Let's see a few tips that can give us some ideas about this issue:

• Are any of the production servers (web, web service, or database) missing any patches?
• Do any of the production servers (web, web service, or database) have some default non-secure settings? (For example, default credentials.)
• Are any unnecessary services enabled on any of the servers?
• Is the application using default error messages that display to users details about the stack trace?
• Are any dev environments deployed into production? (For example, test pages, test credentials, test data.)