chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Donald Kwakkel (JIRA)" <>
Subject [jira] [Commented] (CMIS-942) System Information Leak
Date Mon, 24 Aug 2015 11:07:46 GMT


Donald Kwakkel commented on CMIS-942:

Thanks, we will add this to our security guidelines.

> System Information Leak
> -----------------------
>                 Key: CMIS-942
>                 URL:
>             Project: Chemistry
>          Issue Type: Bug
>          Components: opencmis-client
>    Affects Versions: OpenCMIS 0.13.0
>            Reporter: Donald Kwakkel
> The function writeJSONString() in might reveal system data or debugging
information by calling write() on line 119. The information revealed by write() could help
an adversary form a plan of attack. It is called from CmisBrowserBindingServlet.printError.
> Explanation:
> An external information leak occurs when system data or debugging information leaves
the program to a remote machine via a socket or network connection.  External leaks can help
an attacker by revealing specific data about operating systems, full pathnames, the existence
of usernames, or locations of configuration files, and are more serious than internal information
leaks which are more difficult for an attacker to access.
> Solution: Only log stacktrace and do not return it in json.

This message was sent by Atlassian JIRA

View raw message