| Author |
 Topic  |
|
|
sikandar
Junior Member
Pakistan
135 Posts |
 Posted - 19 November 2008 : 02:47:24
|
Hi,
I have noticed a security hole that if the site is not connecting due to any reason to the database like password or any other reason then if a member try to connect he/she will get the following error message,
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[MySQL][ODBC 3.51 Driver]Access denied for user: 'mydbusername@ip of mydb server' (Using password: YES)
/inc_header.asp, line 121
the error is sharing two very secret info with any member,
mydbusername@ip of mydb server
now only he/she has to find the password.
Correct me if I am wrong as I think this error should be replaced with an error without this info.
Thanks< |
|
|
Carefree
Advanced Member
Philippines
4217 Posts |
Posted - 19 November 2008 : 03:25:48
|
| Since "Access denied" is not mentioned anywhere in any of the original 3.4.06 Snitz package, you probably have a mod in place which is causing your security issue.< |
 |
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 19 November 2008 : 04:17:45
|
That's an ASP/DB error, absolutely nothing to do with Snitz; the only way to get rid of it is to configure IIS not to send detailed error messages or to use a custom error page but that will apply to all ASP/DB errors.
< |
 Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
HuwR
Forum Admin
United Kingdom
20595 Posts |
Posted - 19 November 2008 : 06:24:40
|
I think that is is also pretty specific to MySQL, I'm pretty sure that if that was MSSQL or Access it would NOT give out the username in question, just that access was denied to the database.
In a production site, you should turn off providing errors in IIS, so any errors will just present the users with a generic 'There was an error' mesage string.< |
|
|
| |
Topic |
|
Topic Locked
