chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Donald Kwakkel (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CMIS-942) System Information Leak
Date Mon, 24 Aug 2015 09:30:45 GMT
Donald Kwakkel created CMIS-942:
-----------------------------------

             Summary: System Information Leak
                 Key: CMIS-942
                 URL: https://issues.apache.org/jira/browse/CMIS-942
             Project: Chemistry
          Issue Type: Bug
          Components: opencmis-client
    Affects Versions: OpenCMIS 0.13.0
            Reporter: Donald Kwakkel


The function writeJSONString() in JSONValue.java might reveal system data or debugging information
by calling write() on line 119. The information revealed by write() could help an adversary
form a plan of attack. It is called from CmisBrowserBindingServlet.printError.

Explanation:

An external information leak occurs when system data or debugging information leaves the program
to a remote machine via a socket or network connection.  External leaks can help an attacker
by revealing specific data about operating systems, full pathnames, the existence of usernames,
or locations of configuration files, and are more serious than internal information leaks
which are more difficult for an attacker to access.

Solution: Only log stacktrace and do not return it in json.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message