Front Page | Recent Changes | Title Index | Amateur Radio | Software Development
» Web Log/Year2004/July/July30
» Web Log/Year2004/August/August02
Monday August 2nd, 2004
QRZ.com back but QSL.net in trouble?
The problem with detailed web-server error messages.
Fortunately Friday's problems at QRZ.com seem to have been transient, but now QSL.net pages are generating errors. e.g. if I look for G4FOX or MM0LSB I get errors similar to this:
Warning: Sybase error: Database 'Hydra' cannot be opened
due to inaccessible files or insufficient memory or disk space.
See the SQL Server errorlog for details.
(severity 14) in /usr/local/apache/htdocs/medusa/functions/db.inc on line 30
Error. Could not execute selAffiliate404 @affiliate_id=10186,
@http_referer='http://www.qsl.net/mm0lsb' due to: Could not find stored procedure '%.*ls'.
As far as I can tell this only happens if the page doesn't exist; the error is encountered when the site tries to serve a custom 404 error page with advertisements / affiliate links. It is a bit worrying though, for several reasons. As well as the obvious questions about resilience and capacity planning, giving this kind of detailed error message to a non-local user is potentially opening up a security hole. Now obviously I'm not going to spell out the possible vulnerabilities in detail, but just looking at the error message should get any security conscious web master worried. This is one area that Microsoft seem to have got right with IIS and .NET (QSL.net appear to be running Apache). IIS will only give detailed error text to a remote user if it's been told to, by default it gives detailed errors to local users and the briefest of information to remote users.
Posted by Terry Ebdon | Permalink |
File under: Category Amateur Radio, Category Software Development, Category Blog Entry.