August 03, 2005
How not to throw errors
I was just visiting the Linguistic Society of America's Web site, where they have a feature named Ask a Linguist. I went to browse their questions, and got the following error. (Detail here, click to see full screen.)
Wow, how many sins are commited here? Let us enumerate:
Did I miss any?
- Exposing the path, which gives us a nice picture of the server folder structure.
- Possibly (?) exposing the name of the server (ling0406).
- Exposing the SQL query, which tells us the schema for the SQL table in question.
- Exposing a stack trace, which tells me among other things that they're using an Oracle server.
Almost needless to say, you shouldn't show this kind of stuff to users. It's ugly. And more to the point, this is good information for those famous malicious users. See (again) Steve Friedl's writeup of how he cracked a site with SQL injection, and for which one task was to guess about the schema of SQL tables.
In ASP.NET, you should always set
customErrors in the Web.config file to
remoteOnly. That way you can see error information when testing on localhost, but no errors (and certainly nothing this, um, informative) are displayed to users. Something like this:
<customErrors mode="RemoteOnly" defaultRedirect="SiteError.aspx" />