chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Donald Kwakkel (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (CMIS-942) System Information Leak
Date Mon, 24 Aug 2015 11:07:46 GMT

    [ https://issues.apache.org/jira/browse/CMIS-942?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14709100#comment-14709100
] 

Donald Kwakkel edited comment on CMIS-942 at 8/24/15 11:07 AM:
---------------------------------------------------------------

Thanks, we will add this to our security guidelines.
ps: Because of security by default I myself would prefer the default the other way around.


was (Author: dkwakkel):
Thanks, we will add this to our security guidelines.

> System Information Leak
> -----------------------
>
>                 Key: CMIS-942
>                 URL: https://issues.apache.org/jira/browse/CMIS-942
>             Project: Chemistry
>          Issue Type: Bug
>          Components: opencmis-client
>    Affects Versions: OpenCMIS 0.13.0
>            Reporter: Donald Kwakkel
>
> The function writeJSONString() in JSONValue.java might reveal system data or debugging
information by calling write() on line 119. The information revealed by write() could help
an adversary form a plan of attack. It is called from CmisBrowserBindingServlet.printError.
> Explanation:
> An external information leak occurs when system data or debugging information leaves
the program to a remote machine via a socket or network connection.  External leaks can help
an attacker by revealing specific data about operating systems, full pathnames, the existence
of usernames, or locations of configuration files, and are more serious than internal information
leaks which are more difficult for an attacker to access.
> Solution: Only log stacktrace and do not return it in json.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message