I was recently browsing a very popular review website, when I noticed the following warnings popping up:
From simply loading their web page and seeing these error messages, I could conclude:
- The website is using Drupal.
- The website is using memcached.
- The website is running on Acquia's managed hosting cloud.
- The website has error reporting set to print all errors to the screen.
If I were trying to break into this review site, or cause them a bad day, the information presented in this simple error message would help me quickly tailor my attacks to become much more potent than if I started from a blank slate.
Security through obscurity
I will quickly point out that security through obscurity—thinking you're more secure simply because certain information about your website is kept secret—is no security at all. However, that doesn't mean that obscurity is not an important part of your site's security.
Simply because the site above doesn't have the 'display no error messages' setting enabled on the live website, I was able to learn quite a bit about the site. I could've probably found more 'helpful' error messages had I spent a little more time investigating.