During the course of a client web site upgrade today, one of the site’s visitors informed us that the web site was displaying an error and was exposing passwords in the error message.
While a password was in the error message, that password was only valid for the session state database and does not expose any other databases to access, including those with client data.
For those who would like a little more technical detail, the
targetFramework error is expected while the site and applications are in transition across the .NET framework boundaries as the site is updated. The presence of the session state password and machine keys was not intended but was a side effect of an issue that has already been addressed. Some of the values are not in use and were commented out, but still displayed in the XML exposed in the error message.
As a result of this exposure, we removed existing accounts and set up new accounts and passwords.