Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
DB Engine
SQL ServerMSDESQL Server CE
Services
Analysis (Data Mining)Analysis (OLAP)DTSIntegration ServicesNotification ServicesReporting Services
Programming
CLRConnectivitySQLXML
Other Technologies
ClusteringEnglish QueryFull-Text SearchReplicationService Broker
General
Data WarehousingPerformanceSecuritySetupSQL Server ToolsOther SQL Server Topics
DirectoryUser Groups
Related Topics
MS AccessOther DB ProductsMS Server Products.NET DevelopmentVB DevelopmentJava DevelopmentMore Topics ...
SQL Server Forum / General / Security / April 2005

Tip: Looking for answers? Try searching our database.

Is this a security risk?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Shark Bait - 27 Apr 2005 13:28 GMT
I'm doing some testing on a vendor’s web site and ran into the error below. I
told the vendor that displaying this kind of error could give a hacker the
information needed to hack the db or attempt SQL injection attacks etc. (btw
this is a bank). The vendor is telling me that there is no danger in
releasing this information on the web site. I thold them they need to display
something else.

Assuming you or a hacker had this information, company information and the
URL where this error occurred; do you think these pose a security risk?

*** This is the error with the table database and field names changed ****
Insert statement conflicted with COLUMN CHECK constraint
'AColumnCheckConstraint'.
The conflict occurred in database 'ADatabaseName', table 'ATableName',
column 'PaymentAmount'..,
PaymentXML: 10056AWEBWEB01-4858538-14 ... WEBSERVERNAME ...  
Reply to this Message
Mike Epprecht \(SQL MVP\) - 27 Apr 2005 17:49 GMT
Hi

It is a problem. If I was a hacker, I now have a good load of information to
start hacking with. Based on those names, I can deduce other names.

The toughest part of hacking is getting enough information so that you can
find a hole.This is a Silver platter.

Regards
--------------------------------
Mike Epprecht, Microsoft SQL Server MVP
Zurich, Switzerland

IM: mike@epprecht.net

MVP Program: http://www.microsoft.com/mvp

Blog: http://www.msmvps.com/epprecht/

> I'm doing some testing on a vendor's web site and ran into the error
> below. I
[quoted text clipped - 15 lines]
> column 'PaymentAmount'..,
> PaymentXML: 10056AWEBWEB01-4858538-14 ... WEBSERVERNAME ...
Reply to this Message
pdxJaxon - 29 Apr 2005 19:55 GMT
of Course that is a problem.

PURE Negligence.

Greg Jackson
PDX, Oregon
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.