[mapserver-users] Error messages contain private info

Jochen Topf jochen at remote.org
Sat Jan 17 05:39:25 EST 2009


On Fri, Jan 16, 2009 at 09:02:21AM -0500, Frank Warmerdam wrote:
> Jochen Topf wrote:
>> When using Mapserver with a database and there is an error connecting to
>> the database the error message sent to the client contains the database
>> connect string including the password! Thats never a good idea. Can this
>> be changed somehow?
>
> Jochen,
>
> I would suggest you review:
>
>   http://mapserver.org/development/rfc/ms-rfc-18.html

That seems like a rather complex solution and it falls short in several
aspects:
* Security should be the default, not some add-on
* It only protects passwords not the rest of the information.

Generally services should not leak any internal information to the outside
world. Passwords are only the worst case here. But anything like host
names, file names, database names, URLs auf cascaded WMSes etc. should
not ever get outside!

If there is an error this information should go into a log file. You can
output a time stamp or some kind of id in the error message so that you
can find the corresponding log messages. For servers only used
internally where you don't mind the information leak or for debugging of
a new setup there could be an option to output error messages to the
client. But thats would only be an option which is off by default.

See http://www.owasp.org/index.php/Top_10_2007-A6 for more on this.

Jochen
-- 
Jochen Topf  jochen at remote.org  http://www.remote.org/jochen/  +49-721-388298



More information about the mapserver-users mailing list