19

I was looking for a form on the US Department of Transportations website, and I came to a page that gave me an error, with a full debug report and stack trace.

Hopefully, you can get the same result by going to the page as well: http://www.dot.gov/airconsumer/air-travel-complaint-comment-form

If not, I've included two screenshots of the page (it wouldn't fit into 1)

DOT Error 1

DOT Error 2

Can this result in a breach of security or is it a non-issue (just an inconvenience and unprofessional page)?

What sensitive information is there on the page and how can it be exploited?

I am asking from a purely academic perspective, and have no intention of trying to enter unlawfully into the DOT's site.

Simon East
  • 440
  • 5
  • 10
CodyBugstein
  • 579
  • 5
  • 12

4 Answers4

31

DOT's backend Oracle database is down due to ORA-27101.

ORA-27101 has a nice explanation here with a useful reader comment stating that it happened to them because the Windows Event log was full.

From the output, you can learn that they have Oracle, Java JDBC, Drupal, ColdFusion. You also see some SQL code. With that knowledge you can start digging for vulnerabilities in those products/technologies.

The output mostly means that the DOT Database Administrator will have a hot day and that the page should be back soon. Feel free to notify the administrator as it says on the page.

AHalvar
  • 426
  • 4
  • 3
11

This message is not a security issue by itself. It's just a message. But it gives you a lot of information which you shouldn't get normally. With this information you could start searching through exploit-db and offensive-security if you are not familiar with writing exploits on your own.

Steven Volckaert
  • 1,193
  • 8
  • 15
Xatenev
  • 231
  • 1
  • 6
6

I would argue that this is in fact a security issue, since they are not preventing an verbose error message from being exposed. This might indicate that with enough effort, you could replicate such behaviour somewhere else (by provoking errors) and therefore collecting lots of information about their technologies and configurations.

Philipp Murry
  • 381
  • 1
  • 7
-3

It could represent less work trying to hack them by SQL injection, but nothing here ease the access to their database, that's what I think.

Baruch.wolf
  • 1
  • 1