Click here to monitor SSC
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in
Home       Members    Calendar    Who's On

Add to briefcase

Does this error reveal too much? Expand / Collapse
Posted Tuesday, January 29, 2013 4:08 PM


Group: General Forum Members
Last Login: Wednesday, February 19, 2014 12:15 PM
Points: 12, Visits: 10
I'm new to SQL, so I apologize for any incorrect terminology, etc.

If someone were trying to access this database, does this error reveal anything about the security measures taken, and make it possible to access data?

Thank you

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[FormatException: Invalid character in a Base-64 string.]
System.Convert.FromBase64String(String s) +0
CompanyName.MPM.Core.Security.Cryptography.PPMCryptography3DES.decrypt(String cipherText) +37
CompanyName.MPM.Core.Utilities.Utils.DecryptText(String input, enCryptographyMode mode) +328
CompanyName.MPM.Core.Recovery.RecoveryKey..ctor(String recoveryKey) +26
dotNet_login.AuthenticateUser() +1247
dotNet_login.Page_Load(Object sender, EventArgs e) +3858
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +42
System.Web.UI.Control.OnLoad(EventArgs e) +132
PPMPage.OnLoad(EventArgs e) +631
System.Web.UI.Control.LoadRecursive() +66
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2428

Post #1413380
Posted Tuesday, January 29, 2013 7:25 PM

SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Tuesday, November 1, 2016 9:42 AM
Points: 31, Visits: 214
It seems to me that without the cypher key, it doesn't; I can tell the method you used to encrypt/decrypt, but I do not believe there is enough information there for someone without knowledge of the seed/cypher to decrypt the data on their own.
Post #1413415
Posted Thursday, February 14, 2013 6:59 AM
SSCrazy Eights

SSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy Eights

Group: General Forum Members
Last Login: Today @ 8:56 AM
Points: 9,956, Visits: 9,362
I believe a .NET error screen does reveal too much. It shows that you're using .NET, which is easy. However, it can also reveal things you don't want revealed such as database platform (some errors are specific to certain databases), table names, field names, etc. Giving away information is an invitation to a nefarious individual to attempt a hack on your site. There are known vulnerabilities on any platform, injection attacks to steal information, denial of service attacks, etc. There's really no reason to post an open invitation, which is how some people look at it.

The .NET error screens exist to help developers during the development process and should be turned off in a production environment.

Do yourself a favor: Look up the CustomErrors tag in your web.config file. You can do something like this:

<customErrors mode="On" defaultRedirect="ErrorHandler.aspx">

You can include directions on how to handle specific error codes (i.e.: 404, 500, etc.). Any other errors are handled by the defaultRedirect attribute and get redirected to that page, where you can log the error. If you know about an error, you can address it. If you never find out that an error occurred, you cannot address it.

Tally Tables - Performance Personified
String Splitting with True Performance
Best practices on how to ask questions
Post #1420037
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse