However, I noticed that on both my development & production servers, that if my SQL 2008 database is not available (taken offline, paused or stopped for whatever reason)
that my custom error page is NOT shown and some asp.net native page is shown which exposes a portion of my applications database login credentials,
which in my book is a security flaw. Error message examples are included below.
I there a method to protect against this security flaw?
Many thanks, Les.
======================
Error messages
Unhandled Error Error Details File Error Cannot open database "northwind" requested by the login. The login failed. Login failed for user 'mradmintest'.
=======================
Error
SQL Server service has been paused. No new connections will be allowed. To resume the service, use SQL Computer Manager or the Services application in Control Panel. Login failed for user 'mradmintest'.
We're having trouble reproducing the issue you're seeing. In our environments, we're seeing that the custom error page
errorpage.aspx is sent to the client when there's a SQL-related error, and there's no trace of the original exception in the response.
If possible, could you make a minimal repro web site and email it to us? You can use the 'Send an email' option on the right-hand side of my member page to get in touch with me. Thanks!
Marked as answer by Vince Xu - MSFT on Oct 20, 2011 05:09 AM
Make sure that you weren't logged onto the machine that you were trying to test. If you're logged into the server via terminal services, and generate the error while running a browser on the server, since you're local you may see that error. Remove users
may not though.
Don't forget to mark useful responses as Answer if they helped you towards a solution.
leslarry
Member
100 Points
21 Posts
Database Name and Login account name exposed on error
Sep 20, 2011 12:18 AM|LINK
levib
Star
7702 Points
1099 Posts
Microsoft
Re: Database Name and Login account name exposed on error
Sep 20, 2011 01:26 AM|LINK
Hi Les -
I've entered your comments in our bug database. We'll look over this and get back to you with the results of our investigation. Thanks for the report!
levib
Star
7702 Points
1099 Posts
Microsoft
Re: Database Name and Login account name exposed on error
Sep 21, 2011 10:17 PM|LINK
Les -
We're having trouble reproducing the issue you're seeing. In our environments, we're seeing that the custom error page errorpage.aspx is sent to the client when there's a SQL-related error, and there's no trace of the original exception in the response.
If possible, could you make a minimal repro web site and email it to us? You can use the 'Send an email' option on the right-hand side of my member page to get in touch with me. Thanks!
markfitzme
Star
14319 Points
2215 Posts
Re: Database Name and Login account name exposed on error
Sep 30, 2011 05:51 PM|LINK
Make sure that you weren't logged onto the machine that you were trying to test. If you're logged into the server via terminal services, and generate the error while running a browser on the server, since you're local you may see that error. Remove users may not though.