Wednesday, March 21, 2012

Is this a security risk?

I'm doing some testing on a vendor’s web site and ran into the error below
. I
told the vendor that displaying this kind of error could give a hacker the
information needed to hack the db or attempt SQL injection attacks etc. (btw
this is a bank). The vendor is telling me that there is no danger in
releasing this information on the web site. I thold them they need to displa
y
something else.
Assuming you or a hacker had this information, company information and the
URL where this error occurred; do you think these pose a security risk?
*** This is the error with the table database and field names changed ****
Insert statement conflicted with COLUMN CHECK constraint
'AColumnCheckConstraint'.
The conflict occurred in database 'ADatabaseName', table 'ATableName',
column 'PaymentAmount'..,
PaymentXML: 10056AWEBWEB01-4858538-14 ... WEBSERVERNAME ...Hi
It is a problem. If I was a hacker, I now have a good load of information to
start hacking with. Based on those names, I can deduce other names.
The toughest part of hacking is getting enough information so that you can
find a hole.This is a Silver platter.
Regards
--
Mike Epprecht, Microsoft SQL Server MVP
Zurich, Switzerland
IM: mike@.epprecht.net
MVP Program: http://www.microsoft.com/mvp
Blog: http://www.msmvps.com/epprecht/
"Shark Bait" <SharkBait@.discussions.microsoft.com> wrote in message
news:15B676C1-BAF5-4566-BB1E-31A52B314810@.microsoft.com...
> I'm doing some testing on a vendor's web site and ran into the error
> below. I
> told the vendor that displaying this kind of error could give a hacker the
> information needed to hack the db or attempt SQL injection attacks etc.
> (btw
> this is a bank). The vendor is telling me that there is no danger in
> releasing this information on the web site. I thold them they need to
> display
> something else.
> Assuming you or a hacker had this information, company information and the
> URL where this error occurred; do you think these pose a security risk?
> *** This is the error with the table database and field names changed ****
> Insert statement conflicted with COLUMN CHECK constraint
> 'AColumnCheckConstraint'.
> The conflict occurred in database 'ADatabaseName', table 'ATableName',
> column 'PaymentAmount'..,
> PaymentXML: 10056AWEBWEB01-4858538-14 ... WEBSERVERNAME ...
>|||of Course that is a problem.
PURE Negligence.
Greg Jackson
PDX, Oregon
Posted by despiteiopj at 6:20 AM
Labels: , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)