incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Florian Holeczek (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (JSPWIKI-83) Ounce Labs Security Finding: DOS - Readlines
Date Sun, 11 Sep 2011 00:05:09 GMT

     [ https://issues.apache.org/jira/browse/JSPWIKI-83?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Florian Holeczek closed JSPWIKI-83.
-----------------------------------


> Ounce Labs Security Finding: DOS - Readlines 
> ---------------------------------------------
>
>                 Key: JSPWIKI-83
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-83
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.4.104
>            Reporter: Cristian Borlovan
>            Priority: Minor
>         Attachments: report.pdf
>
>
> Description:
> The application contains a variety of different locations where unbound reads may theoretically
expose the application to DOS attacks.  If an attacker is capable of controlling whether the
reads continue he may cause the DOS attack. 
> Recommendation: 
> Ensure that the reads are bound by a certain threshold to prevent DOS potentials.
> Related Code Locations: 
> 11 findings:
>   Name:           com.ecyrd.jspwiki.diff.ExternalDiffProvider.colorizeDiff(java.lang.String):java.lang.String
>   Type:           Vulnerability.AppDOS
>   Severity:       Low
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\diff\ExternalDiffProvider.java
>   Line / Col:     165 / 0
>   Context:        in . java.io.BufferedReader.readLine ()
>      -----------------------------------
>   Name:           com.ecyrd.jspwiki.providers.RCSFileProvider.getPageInfo(java.lang.String;int):com.ecyrd.jspwiki.WikiPage
>   Type:           Vulnerability.AppDOS
>   Severity:       Low
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\providers\RCSFileProvider.java
>   Line / Col:     148 / 0
>   Context:        stdout . java.io.BufferedReader.readLine ()
>      -----------------------------------
>   Name:           com.ecyrd.jspwiki.SearchMatcher.matchPageContent(java.lang.String;java.lang.String):com.ecyrd.jspwiki.SearchResult
>   Type:           Vulnerability.AppDOS
>   Severity:       Low
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\SearchMatcher.java
>   Line / Col:     67 / 0
>   Context:        in . java.io.BufferedReader.readLine ()
>      -----------------------------------
>   Name:           com.ecyrd.jspwiki.providers.RCSFileProvider.getVersionHistory(java.lang.String):java.util.List
>   Type:           Vulnerability.AppDOS
>   Severity:       Low
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\providers\RCSFileProvider.java
>   Line / Col:     471 / 0
>   Context:        stdout . java.io.BufferedReader.readLine ()
>      -----------------------------------
>   Name:           com.ecyrd.jspwiki.providers.RCSFileProvider.getPageText(java.lang.String;int):java.lang.String
>   Type:           Vulnerability.AppDOS
>   Severity:       Low
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\providers\RCSFileProvider.java
>   Line / Col:     278 / 0
>   Context:        stderr . java.io.BufferedReader.readLine ()
>      -----------------------------------
>   Name:           com.ecyrd.jspwiki.FileUtil.runSimpleCommand(java.lang.String;java.lang.String):java.lang.String
>   Type:           Vulnerability.AppDOS
>   Severity:       Low
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\FileUtil.java
>   Line / Col:     114 / 0
>   Context:        stderr . java.io.BufferedReader.readLine ()
>      -----------------------------------
>   Name:           com.ecyrd.jspwiki.FileUtil.runSimpleCommand(java.lang.String;java.lang.String):java.lang.String
>   Type:           Vulnerability.AppDOS
>   Severity:       Low
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\FileUtil.java
>   Line / Col:     108 / 0
>   Context:        stdout . java.io.BufferedReader.readLine ()
>      -----------------------------------
>   Name:           com.ecyrd.jspwiki.providers.RCSFileProvider.deleteVersion(java.lang.String;int):void
>   Type:           Vulnerability.AppDOS
>   Severity:       Low
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\providers\RCSFileProvider.java
>   Line / Col:     605 / 0
>   Context:        stderr . java.io.BufferedReader.readLine ()
>      -----------------------------------
>   Name:           com.ecyrd.jspwiki.filters.SpamFilter.parseBlacklist(java.lang.String):java.util.Collection
>   Type:           Vulnerability.AppDOS
>   Severity:       Low
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\filters\SpamFilter.java
>   Line / Col:     224 / 0
>   Context:        in . java.io.BufferedReader.readLine ()
>      -----------------------------------
>   Name:           com.ecyrd.jspwiki.providers.RCSFileProvider.getPageInfo(java.lang.String;int):com.ecyrd.jspwiki.WikiPage
>   Type:           Vulnerability.AppDOS
>   Severity:       Low
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\providers\RCSFileProvider.java
>   Line / Col:     212 / 0
>   Context:        stdout . java.io.BufferedReader.readLine ()
>      -----------------------------------
>   Name:           com.ecyrd.jspwiki.providers.RCSFileProvider.putPageText(com.ecyrd.jspwiki.WikiPage;java.lang.String):void
>   Type:           Vulnerability.AppDOS
>   Severity:       Low
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\providers\RCSFileProvider.java
>   Line / Col:     394 / 0
>   Context:        error . java.io.BufferedReader.readLine ()
>      -----------------------------------

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message