- Business Security Articles
- Web Site Security Articles
- Directory Traversal
- Detect Integer Overflow in Web Applications
- Format String Vulnerability
- HTTP PUT Security
- HTTP Response Splitting
- How to Disable Directory Listing on a Web Server
- How to Hide Sensitive Files on Your Web Server
- How to hide X Server Values
- Improper Website Credential Settings
- Avoiding Attacker Supplied URL Vulnerabilities
- Character Set Security
- Cross Site Scripting (XSS) Attacks: Methodology and Prevention
- Data Security with JSON
- Missing or Incorrect Mime Types
- Mixed Content and SSL Security
- Prevent SQL Injection Attacks
- Preventing Cross Site Request Forgery (CSRF)
- Server Details - HTTP Header Information Security
- Server Error Messages
- Shell Injection and Command Injection Attack Vector
- Web Cache Security For Your Website
- XML Injection and XPath Injection
Server Error Messages
Servers, when configured for development, often return messages to help developers and administrators setup things properly. These messages are very useful for development, but if left enabled in a production environment, can give valuable information away to attackers.
Server Error Messages and Hackers
Message examples may be PHP error codes which return SQL, in some cases they will even show data results. For instance, if an attacker is probing a website, and putting in invalid data to a form, the web script may not handle all cases well. If the attacker triggers an application error, and the code is configured to return this error, the attacker may expose some data about either other users, or the application design, or the server configuration.
For instance, an error might reveal something like this to an attacker:
Table 'mydb.table' doesn't exist query: SELECT col FROM ctable WHERE id=3 in /home/auser/public_html/extra.inc(1699) : eval()'d code on line 2.
which shows the attacker how data is being queried, and shows some of the database structure information.
In extreme cases, these error messages may be extremely detailed, and even include information which could compromise the entire system. Take the following (real, but modified) error message:
Warning: mysql_query() [function.mysql-query]: Unable to save result set in filename.php execute command denied to user 'username'@'%' for routine 'database_name.MyUDF' Connection information used: Username: username Password: password Port: 123456 Server: localhost
In this case, the entire database connection information was compromised. Developers often write in these kinds of outputs while developing, to make debugging easier. However, left on in a production environment, the results can be deadly.
How Does this Impact my Security?
Server messages not meant to be seen generally result in some sort of data loss, whether it is data about your site configuration, server configuration, or even other users in rare cases.
Prevent Exposure of Server Error Messages
The best way to avoid all possible error messages is to define a friendly error message. This takes some extra work, but can be used to prevent any errors from being displayed. Each scripting language will have its own unique ways of disabling error handling. It is recommended to divert errors from being displayed to a user, and placing them in a secure log instead.
Some steps you can take for PHP include:
- Search web directories for files which run php_info(). Remove these so they cannot get run (this PHP function returns a plethora of PHP information.)
- In php.ini, set display_errors to disabled
-
Create a custom error handler to log scripts and display a friendly message to the user:
<?php function error_handler($errno, $errstr, $errfile, $errline) { write_to_logs($errno, $errstr, $errfile, $errline); echo "Hi user, this is a friendly error message"; } set_error_handler("error_handler"); ?>
Additional Resources
Find Error Messages on Your Server
Golem Technologies includes numerous different server setting scans to help you reduce your exposure to attack with thorough security scanning, including application server setup. See how the Golem Scan can help your business today.
