chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Müller (JIRA) <j...@apache.org>
Subject [jira] [Resolved] (CMIS-942) System Information Leak
Date Mon, 24 Aug 2015 10:00:46 GMT

     [ https://issues.apache.org/jira/browse/CMIS-942?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Florian Müller resolved CMIS-942.
---------------------------------
    Resolution: Won't Fix

This is a feature, not a bug. In a productive system it should be turned off. (System property:
org.apache.chemistry.opencmis.stacktrace.disable)

> System Information Leak
> -----------------------
>
>                 Key: CMIS-942
>                 URL: https://issues.apache.org/jira/browse/CMIS-942
>             Project: Chemistry
>          Issue Type: Bug
>          Components: opencmis-client
>    Affects Versions: OpenCMIS 0.13.0
>            Reporter: Donald Kwakkel
>
> The function writeJSONString() in JSONValue.java might reveal system data or debugging
information by calling write() on line 119. The information revealed by write() could help
an adversary form a plan of attack. It is called from CmisBrowserBindingServlet.printError.
> Explanation:
> An external information leak occurs when system data or debugging information leaves
the program to a remote machine via a socket or network connection.  External leaks can help
an attacker by revealing specific data about operating systems, full pathnames, the existence
of usernames, or locations of configuration files, and are more serious than internal information
leaks which are more difficult for an attacker to access.
> Solution: Only log stacktrace and do not return it in json.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message