Does this error reveal too much?

  • I'm new to SQL, so I apologize for any incorrect terminology, etc.

    If someone were trying to access this database, does this error reveal anything about the security measures taken, and make it possible to access data?

    Thank you

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [FormatException: Invalid character in a Base-64 string.]

    System.Convert.FromBase64String(String s) +0

    CompanyName.MPM.Core.Security.Cryptography.PPMCryptography3DES.decrypt(String cipherText) +37

    CompanyName.MPM.Core.Utilities.Utils.DecryptText(String input, enCryptographyMode mode) +328

    CompanyName.MPM.Core.Recovery.RecoveryKey..ctor(String recoveryKey) +26

    dotNet_login.AuthenticateUser() +1247

    dotNet_login.Page_Load(Object sender, EventArgs e) +3858

    System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25

    System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +42

    System.Web.UI.Control.OnLoad(EventArgs e) +132

    PPMPage.OnLoad(EventArgs e) +631

    System.Web.UI.Control.LoadRecursive() +66

    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2428

  • It seems to me that without the cypher key, it doesn't; I can tell the method you used to encrypt/decrypt, but I do not believe there is enough information there for someone without knowledge of the seed/cypher to decrypt the data on their own.

  • I believe a .NET error screen does reveal too much. It shows that you're using .NET, which is easy. However, it can also reveal things you don't want revealed such as database platform (some errors are specific to certain databases), table names, field names, etc. Giving away information is an invitation to a nefarious individual to attempt a hack on your site. There are known vulnerabilities on any platform, injection attacks to steal information, denial of service attacks, etc. There's really no reason to post an open invitation, which is how some people look at it.

    The .NET error screens exist to help developers during the development process and should be turned off in a production environment.

    Do yourself a favor: Look up the CustomErrors tag in your web.config file. http://msdn.microsoft.com/en-us/library/h0hfz6fc%28v=vs.90%29.aspx You can do something like this:

    <customErrors mode="On" defaultRedirect="ErrorHandler.aspx">

    </customErrors>

    You can include directions on how to handle specific error codes (i.e.: 404, 500, etc.). Any other errors are handled by the defaultRedirect attribute and get redirected to that page, where you can log the error. If you know about an error, you can address it. If you never find out that an error occurred, you cannot address it.

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply