I just got an error when trying to post. Not a problem in itself as it sorted itself out after a couple of minutes, but the error message it gave was way to helpful to someone like me who does web-site and database programming work. Had I had malicious intent it would have been like Christmas. It not only told me what database is used etc, but the structure of the members table!
Ideally when errors occur it should just give a very bland message along the lines of 'an error has occurred and been logged' and the full detail of it then logged somewhere for debugging purposes if needed.
I have no idea if the software the site uses has that as an option or what though. It would be worth finding out though.
Full Version Error Messages Give Way Too Much Info.
The thing is though, IPB is publically available software, so anyone who wants to can go and download it, and have a butchers at how it's data tables are structured.
I agree though, it's a bit 'TMI' to be handing that info out to users, some of whom wouldn't know what to do with it, much less care!
Ciarán
I agree though, it's a bit 'TMI' to be handing that info out to users, some of whom wouldn't know what to do with it, much less care!
Ciarán
I'm sure they can, but one of the the first rules of web site security is never give the hacker more info than you have to. You would be amazed what can be worked out about a site etc from error messages like that. The harder it is for someone to find out info about the site the less likely they are to keep trying.
There are only a few possible databases to put behind anything (SQL Server, Oracle and MySQL being the main ones that come to mind) and anyone can find out the differences between their SQL syntax and how to do more advanced things in any of them within a couple of minutes on Google. But, telling a hacker which one it is just saves them having to try 3 different things before finding it out. Therefore they are more likely to try.
And as you say - it is far too technical for most users to care about, so showing it just upsets them. I have had verbal abuse from users before about errors being too technical.
There are only a few possible databases to put behind anything (SQL Server, Oracle and MySQL being the main ones that come to mind) and anyone can find out the differences between their SQL syntax and how to do more advanced things in any of them within a couple of minutes on Google. But, telling a hacker which one it is just saves them having to try 3 different things before finding it out. Therefore they are more likely to try.
And as you say - it is far too technical for most users to care about, so showing it just upsets them. I have had verbal abuse from users before about errors being too technical.
You do have a good point, a bit like with car thieves, why give them an easy ride. Not the Club-XM has anything of a highly sensetive nature, but then again it doesn't take much for cyber vandals to get started, much like the off-line ones!
I didn't think MySQL and Oracle (bad word round here), were as vulnerable to the SQL injection issues a the likes of MS SQL... then again, that was more due to it's usual corolation with unsecured ASP based scripts, than the database server itself...
I didn't think MySQL and Oracle (bad word round here), were as vulnerable to the SQL injection issues a the likes of MS SQL... then again, that was more due to it's usual corolation with unsecured ASP based scripts, than the database server itself...
I recently had my email address farmed from a very small online shop (I use different addresses for unknown web sites and there is no evidence of address guesswork going on) and I am fairly sure it was by a SQL-Injection attack reading off the customer list as I proved that was possible (and then told the site it was open to attack and pointed them to resources to show them how to fix it). I'm sure they didn't think they would be a target, and they certainly thought they were secure.
As you say, the SQL-Injection thing is all down to the site coding, so there is no reason something with Oracle behind it cannot have that problem. However, in practice it is probably far rarer for a number of reasons:
1) Oracle is more often be used by 'bigger' fish who are more security conscious (like financial institutions etc) so they are going to make sure their systems are secure. You should see the hoops we have to jump through to write a site for them. How many firewalls do you need between the database and the outside world? Bidding starts at 4.
2) The 'less good' programmers tend to congregate around Microsoft technology as it is easier to get into. That is not to say that there are no good programmers using SQL Server - quite the opposite. Just that there are comparatively few bad programmers working on real world oracle systems as it is harder to get into if you aren't up to a decent standard.
Why don't you like Oracle in your neck of the woods then?
As you say, the SQL-Injection thing is all down to the site coding, so there is no reason something with Oracle behind it cannot have that problem. However, in practice it is probably far rarer for a number of reasons:
1) Oracle is more often be used by 'bigger' fish who are more security conscious (like financial institutions etc) so they are going to make sure their systems are secure. You should see the hoops we have to jump through to write a site for them. How many firewalls do you need between the database and the outside world? Bidding starts at 4.
2) The 'less good' programmers tend to congregate around Microsoft technology as it is easier to get into. That is not to say that there are no good programmers using SQL Server - quite the opposite. Just that there are comparatively few bad programmers working on real world oracle systems as it is harder to get into if you aren't up to a decent standard.
Why don't you like Oracle in your neck of the woods then?
Hi All
There's a new software program called Forcefield available from AVG in beta format for XP SP2 and above.
*Testing Details* _Required for testing: _
Do not install this beta unless you have the following configuration:
Windows XP SP2 or Windows Vista (works but is slightly less tested and stable than on XP)
Internet Explorer 6/7 or Firefox 2.0 *ONLY*
Caution!!! This is a beta quality software! Unlike a firewall product, ForceField does not interact deep in the kernel and thus should not cause significant, complex or irreversible issues on your computer. Nonetheless, this is still beta-quality software.
This may be what you're looking for.
shoestring
There's a new software program called Forcefield available from AVG in beta format for XP SP2 and above.
*Testing Details* _Required for testing: _
Do not install this beta unless you have the following configuration:
Windows XP SP2 or Windows Vista (works but is slightly less tested and stable than on XP)
Internet Explorer 6/7 or Firefox 2.0 *ONLY*
Caution!!! This is a beta quality software! Unlike a firewall product, ForceField does not interact deep in the kernel and thus should not cause significant, complex or irreversible issues on your computer. Nonetheless, this is still beta-quality software.
This may be what you're looking for.
shoestring
Forcefield is Zone Alarm (easy to mix up with AVG - both do very good free tools that everyone should be using unless they use a good alternative).
It is a bit different though. It is protecting you as you surf. We are talking about website security - what happens to the site after you have disconnected and turned of your PC.
e.g.
You register on a site and leave your details - name, address, email etc. If it is a shop you are buying from you have to put in real details.
A hacker then goes to the same site. They use well known hacking techniques to retrieve a list of the customer details from the web site. That includes your details. In my case on a site I ordered from, they got the email address I had used and then started spamming it.
Now, because I used a unique address on that site I can just go into my email settings on the ISP I use for email and 'turn off' that email address. I just hope they didn't get my credit card number at the same time, though.
It is a bit different though. It is protecting you as you surf. We are talking about website security - what happens to the site after you have disconnected and turned of your PC.
e.g.
You register on a site and leave your details - name, address, email etc. If it is a shop you are buying from you have to put in real details.
A hacker then goes to the same site. They use well known hacking techniques to retrieve a list of the customer details from the web site. That includes your details. In my case on a site I ordered from, they got the email address I had used and then started spamming it.
Now, because I used a unique address on that site I can just go into my email settings on the ISP I use for email and 'turn off' that email address. I just hope they didn't get my credit card number at the same time, though.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here .