Microsoft Code Zone Missing Proper Exception Handling Policy
On my Enterprise Library 2.0 course which was a part of the MVPs Week that took place last week I've talked about the Exception Handling Application Block which is part of the Enterprise Library and why its so important to handle exceptions the right way...
One of most common failure of system regarding application security is the way application developers handle exceptions in the code, If you do not take care of unexpected exception you might expose some information on your system that you might have wanted to conceal.
For example... take a look at the Microsoft Code Zone... seems like someone haven't looked deeply into the code that was written there as when an unexpected exception happened we begin to start finding some inner application info...
There is a user by the name of UrlRedirection on the system which is used to access to the database.
Well if the big ones fails... probably you too... so take a deep look at your source code and see if you have handled all the exceptions the right way... and that is catching them (or any unhandled exception) on the top most layer before the presentation layer log the exception and replace it with an informative exception that will not expose any details about the real exception.
Update: It took someone more then 12 hours to fix this issue... (its now 3am and i've published the post on 10am) now imagine that there was here a leak of more then just the username of the connection string ... what could have been done in 12 hours to the system...