SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Does this error reveal too much?


Does this error reveal too much?

Author
Message
ghster
ghster
Grasshopper
Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)Grasshopper (12 reputation)

Group: General Forum Members
Points: 12 Visits: 10
I'm new to SQL, so I apologize for any incorrect terminology, etc.

If someone were trying to access this database, does this error reveal anything about the security measures taken, and make it possible to access data?

Thank you

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[FormatException: Invalid character in a Base-64 string.]
System.Convert.FromBase64String(String s) +0
CompanyName.MPM.Core.Security.Cryptography.PPMCryptography3DES.decrypt(String cipherText) +37
CompanyName.MPM.Core.Utilities.Utils.DecryptText(String input, enCryptographyMode mode) +328
CompanyName.MPM.Core.Recovery.RecoveryKey..ctor(String recoveryKey) +26
dotNet_login.AuthenticateUser() +1247
dotNet_login.Page_Load(Object sender, EventArgs e) +3858
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +42
System.Web.UI.Control.OnLoad(EventArgs e) +132
PPMPage.OnLoad(EventArgs e) +631
System.Web.UI.Control.LoadRecursive() +66
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2428
jchapman
jchapman
Valued Member
Valued Member (67 reputation)Valued Member (67 reputation)Valued Member (67 reputation)Valued Member (67 reputation)Valued Member (67 reputation)Valued Member (67 reputation)Valued Member (67 reputation)Valued Member (67 reputation)

Group: General Forum Members
Points: 67 Visits: 216
It seems to me that without the cypher key, it doesn't; I can tell the method you used to encrypt/decrypt, but I do not believe there is enough information there for someone without knowledge of the seed/cypher to decrypt the data on their own.
Ed Wagner
Ed Wagner
SSCoach
SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)

Group: General Forum Members
Points: 16929 Visits: 10088
I believe a .NET error screen does reveal too much. It shows that you're using .NET, which is easy. However, it can also reveal things you don't want revealed such as database platform (some errors are specific to certain databases), table names, field names, etc. Giving away information is an invitation to a nefarious individual to attempt a hack on your site. There are known vulnerabilities on any platform, injection attacks to steal information, denial of service attacks, etc. There's really no reason to post an open invitation, which is how some people look at it.

The .NET error screens exist to help developers during the development process and should be turned off in a production environment.

Do yourself a favor: Look up the CustomErrors tag in your web.config file. http://msdn.microsoft.com/en-us/library/h0hfz6fc%28v=vs.90%29.aspx You can do something like this:

<customErrors mode="On" defaultRedirect="ErrorHandler.aspx">
</customErrors>



You can include directions on how to handle specific error codes (i.e.: 404, 500, etc.). Any other errors are handled by the defaultRedirect attribute and get redirected to that page, where you can log the error. If you know about an error, you can address it. If you never find out that an error occurred, you cannot address it.


Tally Tables - Performance Personified
String Splitting with True Performance
Best practices on how to ask questions
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search