Last post Sep 30, 2011 06:51 PM by markfitzme
Sep 20, 2011 01:18 AM|leslarry|LINK
I have configured my asp.net 4.0 application's web.config to use customer errors (according to the 2010 oracle padding recommendations) <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/errorpage.aspx" />However, I noticed that on both my development & production servers, that if my SQL 2008 database is not available (taken offline, paused or stopped for whatever reason)
that my custom error page is NOT shown and some asp.net native page is shown which exposes a portion of my applications database login credentials,
which in my book is a security flaw. Error message examples are included below.I there a method to protect against this security flaw?Many thanks, Les.======================Error messagesUnhandled ErrorError DetailsFile Error Cannot open database "northwind" requested by the login. The login failed. Login failed for user 'mradmintest'. =======================Error SQL Server service has been paused. No new connections will be allowed. To resume the service, use SQL Computer Manager or the Services application in Control Panel. Login failed for user 'mradmintest'.
Sep 20, 2011 02:26 AM|levib|LINK
Hi Les -
I've entered your comments in our bug database. We'll look over this and get back to you with the results of our investigation. Thanks for the report!
Sep 21, 2011 11:17 PM|levib|LINK
We're having trouble reproducing the issue you're seeing. In our environments, we're seeing that the custom error page
errorpage.aspx is sent to the client when there's a SQL-related error, and there's no trace of the original exception in the response.
If possible, could you make a minimal repro web site and email it to us? You can use the 'Send an email' option on the right-hand side of my member page to get in touch with me. Thanks!
Sep 30, 2011 06:51 PM|markfitzme|LINK
Make sure that you weren't logged onto the machine that you were trying to test. If you're logged into the server via terminal services, and generate the error while running a browser on the server, since you're local you may see that error. Remove users
may not though.