John, I would personally be more concerned about someone having a 'clone' of my system and gaining more information than them being able to glean much from error messages. Yes, I understand that an error message from the underlying vendor db (SQL Server) for example tells them what DB you are running on....but I've never been exceedingly concerned about that...I guess I've never been in a position where the system I support is so critical that someone is going to attack it and any little piece of information provides another nugget of capability to exploit.
Being in DOD contracting I understand the concerns for security and such, I'm just not sure what they would be do with something like the error they described. -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of John Baker Sent: Monday, October 08, 2012 7:36 AM To: arslist@ARSLIST.ORG Subject: Results of a application pen-test - need to close holes LJ, 2. Improper error handling The concern would be that the SQL message may reveal information that allows a third party to establish the type of database, IP address, etc. They would then be in a position to mount an attack with information known about that database, ie current security concerns etc. 5. Forced browsing You correctly identify a good SSO deployment (ie the JSS SSO Plugin :-) as a solution to forced browsing, ie ensuring the user has authenticated before being able to access a resource. John _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"
