Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Is this a security risk?

Status
Not open for further replies.
SharkTooth

SharkTooth

Programmer
Aug 12, 2004
29
US
I'm doing some testing on a vendor’s web site and ran into the error below. I told the
vendor that displaying this kind of error could give a hacker the information needed to
hack the db or attempt SQL injection attacks etc. (btw this is a bank). The vendor is telling
me that there is no danger in releasing this information on the web site. I thold them they need to display something else.

Assuming you or a hacker had this information, company information and the URL where this
error occurred; do you think these pose a security risk?
Code: 
[COLOR=blue]

Insert statement conflicted with COLUMN CHECK constraint 'AColumnCheckConstraint'. 
The conflict occurred in database 'ADatabaseName', table 'ATableName', column 'PaymentAmount'.., 
PaymentXML: 10056AWEBWEB01-4858538-14 ... WEBSERVERNAME ... 

[/color]
 
Sort by date Sort by votes
All errors must be handled by the applicationa and give back human readable information to the user. For example a simple messgae of "Record not Found" etc would cover it. Sound more like sloppy programming than anything else to me.

Do not take life too seriously, because in the end, you won't come out alive anyway
 
Upvote 0 Downvote
Absolutely.

Never give details of your set up over a website.

There are a number of methods of compromising that particular error message into accessing the rest of the table, unless very rigourous protection is in place.

I'd suggest (DO NOT DO THIS without first getting the client's approval) proving the danger to the client by bringing up the table contents onscreen from an external source.

Cheers,
Dave

Probably the only Test Analyst on Tek-Tips

animadverto vos in Abyssus!

Take a look at Forum1393 & sign up if you'd like
 
Upvote 0 Downvote
Thanks. I'm not sure how I would be able to get the information to display. I'm no hacker, I think I could inject something though.
 
Upvote 0 Downvote
Do a quick google on "SQL Injection"

Showing details about your schema in an error message is a definite risk.

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
289
Sameer258
Sameer258
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
75
gbayi_omo
gbayi_omo
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
246
Sparrow4
Sparrow4
abhi21
  • Locked
  • Question
Interesting article on Cyber Security
Replies
0
Views
71
abhi21
abhi21
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
247
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top