SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Enthusiast
    Join Date
    Mar 2003
    Location
    PA
    Posts
    92
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Is this a security risk?

    I'm doing some testing on a vendorís web site and ran into the error below. I told the vendor that displaying this kind of error could give a hacker the information needed to hack the db or attempt SQL injection attacks etc. (btw this is a bank). The vendor is telling me that there is no danger in releasing this information on the web site.



    Assuming you or a hacker had this information, company information and the URL where this error occurred; do you think these pose a security risk?



    Code:
    [color blue]
    Code:
    Insert statement conflicted with COLUMN CHECK constraint 'AColumnCheckConstraint'. The conflict occurred in database 'ADatabaseName', table 'ATableName', column 'PaymentAmount'.., PaymentXML: 10056AWEBWEB01-4858538-14 ... WEBSERVERNAME ... 
    [/color]

  2. #2
    SitePoint Wizard HarryR's Avatar
    Join Date
    Dec 2004
    Location
    London, UK
    Posts
    1,376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,
    In my opinion that is a fairly large 'information leak'.. e.g. if a SQL injection exploit were found on another part of the website, I could then use the information from that error to perhaps make my payment get flagged as accepted, or whatever the error you were talking about relates to.

    Personally I think all emails should be emailed to the administration team, while a polite message informs the user that an error has occured on the page and that their transaction has been suspended to insure that no mistakes are made, and that they should try again shortly.

    Regards,
    Harry

  3. #3
    Snowboarders die even younger igor.kudela's Avatar
    Join Date
    Feb 2005
    Posts
    731
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well not really it would have to be one badly written app to use this to hack into it but its considered baad practice and does give a bit of inside info to a potential hacker but its rather insiginificant considering what needs to be done in order to hack into such a system
    Igor Kudela
    NetPublisher - FREE Customizable .NET CMS

  4. #4
    SitePoint Enthusiast
    Join Date
    Mar 2003
    Location
    PA
    Posts
    92
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks, I really thought this was a big deal. Not so much because someone could hack the db itself but because of sql injection issues. Oh and btw I think it is badly written, the sql is on the page which make SQL injection possible.

  5. #5
    SitePoint Zealot Scott.Mc's Avatar
    Join Date
    Jul 2004
    Location
    Scotland
    Posts
    158
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    the sql is on the page which make SQL injection possible.
    Explain yourself. I doubt a "bank" would be vulnrable to somthing as stupid as SQL injection. While the information does provide details of the database and table names, it in no way itself will cause any harm to the server. If they where indeed ever "hacked" then somthing as silly as showing the database errors on the page will not matter since they would already have that information anyway.

    Personally I do not see this as a security risk, although I would not leave that information around just for the fact of it showing table names, no need to show a user that sort of information, half of them wont understand.

    -Scott Mcintyre
    Linux Server Management - AdminGeekZ.com
    Is your website Sluggish? Unavailable? Insecure?

    Why not call us? +44 0141 2800134


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •