Welcome to Pete Brown's 10rem.net

First time here? If you are a developer or are interested in Microsoft tools and technology, please consider subscribing to the latest posts.

You may also be interested in my blog archives, the articles section, or some of my lab projects such as the C64 emulator written in Silverlight.

(hide this)

What Not to Display in an Error Message

Pete Brown - 23 October 2005

As part of my renovation, I'm getting ready to purchase a double wall oven. I figured I'd check out a few of the high-end models to see what they have above and beyond the usual consumer items like Whirlpool and Kitchenaid. The first site I hit was Thermador. When I clicked on a model there, this is what I got (click for full version):

The only information that error message doesn't provide is the user id and password. Should you be so inclined, it has just about everything else you could ever want to hack their database or their site.

I'm not bothered about my IP showing up in there, as you can get it via my domain anyway. However, here are some other interesting things that message provides us:

  • The type of database in use (SQL Server)
  • The database access technology (JDBC)
  • The back end processing language (Java) 
  • The directory structure (c:\sites\thermador...)
  • Several file names
  • A table name and column naming convention (cats, cat_id, cat_name)
  • The datasource name (Thermador_live)
  • The fact that Macromedia coldfusion products are in use (you could figure that out anyway)

If you view source, or click the link to expand the stack trace, you get even more information:

java.sql.SQLException: [Macromedia][SQLServer JDBC Driver][SQLServer]Incorrect syntax near the keyword 'order'.
 at macromedia.jdbc.base.BaseExceptions.createException(Unknown Source)
 at macromedia.jdbc.base.BaseExceptions.getException(Unknown Source)
 at macromedia.jdbc.sqlserver.tds.TDSRequest.processErrorToken(Unknown Source)
 at macromedia.jdbc.sqlserver.tds.TDSRequest.processReplyToken(Unknown Source)
 at macromedia.jdbc.sqlserver.tds.TDSRequest.processReply(Unknown Source)
 at macromedia.jdbc.sqlserver.SQLServerImplStatement.getNextResultType(Unknown Source)
 at macromedia.jdbc.base.BaseStatement.commonTransitionToState(Unknown Source)
 at macromedia.jdbc.base.BaseStatement.postImplExecute(Unknown Source)
 at macromedia.jdbc.base.BaseStatement.commonExecute(Unknown Source)
 at macromedia.jdbc.base.BaseStatement.executeInternal(Unknown Source)
 at macromedia.jdbc.base.BaseStatement.execute(Unknown Source)
 at coldfusion.server.j2ee.sql.JRunStatement.execute(JRunStatement.java:212)
 at coldfusion.sql.Executive.executeQuery(Executive.java:974)
 at coldfusion.sql.Executive.executeQuery(Executive.java:886)
 at coldfusion.sql.SqlImpl.execute(SqlImpl.java:236)
 at coldfusion.tagext.sql.QueryTag.doEndTag(QueryTag.java:447)
 at cfsub_cats2ecfm1567151398.runPage(C:\sites\thermador\sub_cats.cfm:11)
 at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:147)
 at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:357)
 at coldfusion.runtime.CfJspPage._emptyTag(CfJspPage.java:1876)
 at cfproduct_template2einc169405335._factor3(C:\sites\thermador\product_template.inc:85)
 at cfproduct_template2einc169405335.runPage(C:\sites\thermador\product_template.inc:1)
 at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:147)
 at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:357)
 at coldfusion.runtime.CfJspPage._emptyTag(CfJspPage.java:1876)
 at cfproduct2ecfm1589445026.runPage(C:\sites\thermador\product.cfm:22)
 at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:147)
 at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:357)
 at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:62)
 at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:107)
 at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48)
 at coldfusion.filter.PathFilter.invoke(PathFilter.java:80)
 at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:47)
 at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
 at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:35)
 at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:43)
 at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
 at coldfusion.CfmServlet.service(CfmServlet.java:105)
 at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91)
 at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
 at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:259)
 at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541)
 at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204)
 at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
 at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
 at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
 at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

Clicking around on their site, I got a bunch of these, with various table names and other information. It was ... englightening.

This is great information for a developer, but should never be displayed to the public. Take this as an example of what not to ever show in your site error messages.

 
posted by Pete Brown on Sunday, October 23, 2005
filed under:  

Comment on this Post

Remember me