Database Name Disclosure (MySQL)

Summary

Netsparker identified a database name disclosure (MySQL) in the error message.

Impact

An attacker can perform brute-force or dictionary-based password guessing on the disclosed database name. It may also help the attacker identify other vulnerabilities or further their exploitation of other identified vulnerabilities.

Remediation

Error messages should be disabled.
Remove this kind of sensitive data from the output.

Classifications

PCI v3.1-6.5.5, PCI v3.2-6.5.5, CAPEC-118, WASC-13, OWASP 2013-A5, OWASP 2017-A6

Netsparker Security Insights

Fragmented SQL Injection Attacks – The Solution
What is the SQL Injection Vulnerability & How to Prevent it?
SQL Injection Prevention Techniques for Ruby on Rails Web Applications
SQL Injection Cheat Sheet
New SQL Injection in Joomla! CMS Allows Attackers Full Administrative Privileges When Exploited

Helpful Use Cases

SQL Injection Vulnerability Scanner
Try a Free Online SQL Injection Test Today with Netsparker
Why You Need a Blind SQL Injection Scanner
Scan for SQL Injection Online