About

I'm Mike Pope. I live in the Seattle area. I've been a technical writer and editor for over 30 years. I'm interested in software, language, music, movies, books, motorcycles, travel, and ... well, lots of stuff.

Read more ...

Blog Search


(Supports AND)

Google Ads

Feed

Subscribe to the RSS feed for this blog.

See this post for info on full versus truncated feeds.

Quote

Dogs are my favorite role models. I want to work like a dog, doing what I was born to do with joy and purpose. I want to play like a dog, with total, jolly abandon. I want to love like a dog, with unabashed devotion and complete lack of concern about what people do for a living, how much money they have, or how much they weigh. The fact that we still live with dogs, even when we don't have to herd or hunt our dinner, gives me hope for humans and canines alike.

Martha Beck



Navigation





<September 2021>
SMTWTFS
2930311234
567891011
12131415161718
19202122232425
262728293012
3456789

Categories

  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  

Contact Me

Email me

Blog Statistics

Dates
First entry - 6/27/2003
Most recent entry - 9/13/2021

Totals
Posts - 2638
Comments - 2642
Hits - 2,410,225

Averages
Entries/day - 0.40
Comments/entry - 1.00
Hits/day - 362

Updated every 30 minutes. Last: 2:32 AM Pacific


  11:17 PM

I was just visiting the Linguistic Society of America's Web site, where they have a feature named Ask a Linguist. I went to browse their questions, and got the following error. (Detail here, click to see full screen.)



Wow, how many sins are commited here? Let us enumerate:
  • Exposing the path, which gives us a nice picture of the server folder structure.
  • Possibly (?) exposing the name of the server (ling0406).
  • Exposing the SQL query, which tells us the schema for the SQL table in question.
  • Exposing a stack trace, which tells me among other things that they're using an Oracle server.
Did I miss any?

Almost needless to say, you shouldn't show this kind of stuff to users. It's ugly. And more to the point, this is good information for those famous malicious users. See (again) Steve Friedl's writeup of how he cracked a site with SQL injection, and for which one task was to guess about the schema of SQL tables.

In ASP.NET, you should always set customErrors in the Web.config file to remoteOnly. That way you can see error information when testing on localhost, but no errors (and certainly nothing this, um, informative) are displayed to users. Something like this:

<customErrors mode="RemoteOnly" defaultRedirect="SiteError.aspx" />

[categories]   ,

|