High load reveals passwords

I have seen it happen more than once, and still it baffels me every time, web sites that get slashdotted ™ or just plain heavy-loaded sometime spit out information such as:
SQL Timeout while connecting to: mysql://i40604admin:Pem4Jc2f@mysql4-i/i40604_db

Which is nice as it provided me with a username and password combination for the remote server to try out… you are right there is no fail-safe method of causing this kind of error to prompt out, still why is it providing me with this information in the first case?

  • Jason DePriest

    The question is “where did the error message originate?”

    If they are using a web-based application that talks direction to a database and sends the login information in plain-text, then they should be bent over and spanked.

    If they are sending the queries through a web service that does the talking (to the database) then the error message might not do you any good unless you can find another way to get inside the network.

    Or maybe the web server is just a dumb front-end that talks to an application server in another DMZ, which then calls a web service that connects to the database with the credentials.

    It would certainly give an unethical (or grey hat) a good excuse to dig deeper into what other anomalies they could discover on someone’s site.

    It is possible that they believe they are fully in compliance with the law and security standards if they think this message never leaves their protected internal network. It could be news to them that it is actually forwarded back up the chain all the way to the end-user presentation.

    Somewhere along the development cycle, some piece of these applications was goobered.

    “Duh,” you say. “That’s the point.”

    I just wanted to point out that the actual weak link could be in many different places and finding it would take a bit more work. The average end-user getting that error message would probably just hit refresh and ignore it.

  • Pingback: Clipperz