[mapserver-users] Error messages contain private info
Jochen Topf
jochen at remote.org
Sat Jan 17 02:39:25 PST 2009
On Fri, Jan 16, 2009 at 09:02:21AM -0500, Frank Warmerdam wrote:
> Jochen Topf wrote:
>> When using Mapserver with a database and there is an error connecting to
>> the database the error message sent to the client contains the database
>> connect string including the password! Thats never a good idea. Can this
>> be changed somehow?
>
> Jochen,
>
> I would suggest you review:
>
> http://mapserver.org/development/rfc/ms-rfc-18.html
That seems like a rather complex solution and it falls short in several
aspects:
* Security should be the default, not some add-on
* It only protects passwords not the rest of the information.
Generally services should not leak any internal information to the outside
world. Passwords are only the worst case here. But anything like host
names, file names, database names, URLs auf cascaded WMSes etc. should
not ever get outside!
If there is an error this information should go into a log file. You can
output a time stamp or some kind of id in the error message so that you
can find the corresponding log messages. For servers only used
internally where you don't mind the information leak or for debugging of
a new setup there could be an option to output error messages to the
client. But thats would only be an option which is off by default.
See http://www.owasp.org/index.php/Top_10_2007-A6 for more on this.
Jochen
--
Jochen Topf jochen at remote.org http://www.remote.org/jochen/ +49-721-388298
More information about the MapServer-users
mailing list