Return-Path: X-Original-To: apmail-incubator-jspwiki-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-jspwiki-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B96007079 for ; Sat, 10 Sep 2011 23:35:31 +0000 (UTC) Received: (qmail 77459 invoked by uid 500); 10 Sep 2011 23:35:31 -0000 Delivered-To: apmail-incubator-jspwiki-dev-archive@incubator.apache.org Received: (qmail 77430 invoked by uid 500); 10 Sep 2011 23:35:31 -0000 Mailing-List: contact jspwiki-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jspwiki-dev@incubator.apache.org Delivered-To: mailing list jspwiki-dev@incubator.apache.org Received: (qmail 77343 invoked by uid 99); 10 Sep 2011 23:35:31 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 10 Sep 2011 23:35:31 +0000 X-ASF-Spam-Status: No, hits=-2000.5 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 10 Sep 2011 23:35:30 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id E3A3D8E151 for ; Sat, 10 Sep 2011 23:35:09 +0000 (UTC) Date: Sat, 10 Sep 2011 23:35:09 +0000 (UTC) From: "Florian Holeczek (JIRA)" To: jspwiki-dev@incubator.apache.org Message-ID: <1614880101.13962.1315697709929.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Closed] (JSPWIKI-82) Ounce Labs Security Finding: DOS - Database Connection Close MisUse Pattern MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/JSPWIKI-82?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Florian Holeczek closed JSPWIKI-82. ----------------------------------- > Ounce Labs Security Finding: DOS - Database Connection Close MisUse Pattern > ---------------------------------------------------------------------------- > > Key: JSPWIKI-82 > URL: https://issues.apache.org/jira/browse/JSPWIKI-82 > Project: JSPWiki > Issue Type: Bug > Components: Authentication&Authorization > Affects Versions: 2.4.104 > Reporter: Cristian Borlovan > Assignee: Andrew Jaquith > Fix For: 2.6.0 > > Attachments: report.pdf > > > Description: > The application does not close its database connections properly. Typical best practices indicate the try/catch/finally pattern, where the close connections are in the finally block. > Recommendation: > Follow the appropriate database connection close pattern to avoid potential DOS vectors. > Related Code Locations: > 4 findings: > Name: com.ecyrd.jspwiki.auth.authorize.JDBCGroupDatabase.initialize(com.ecyrd.jspwiki.WikiEngine;java.util.Properties):void > Type: Vulnerability.AppDOS.ConnectionClose > Severity: Medium > Classification: Vulnerability > File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\authorize\JDBCGroupDatabase.java > Line / Col: 387 / 0 > Context: conn . java.sql.Connection.close () > ----------------------------------- > Name: com.ecyrd.jspwiki.auth.user.JDBCUserDatabase.initialize(com.ecyrd.jspwiki.WikiEngine;java.util.Properties):void > Type: Vulnerability.AppDOS.ConnectionClose > Severity: Medium > Classification: Vulnerability > File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\user\JDBCUserDatabase.java > Line / Col: 432 / 0 > Context: conn . java.sql.Connection.close () > Notes: Description: > ----------------------------------- > Name: com.ecyrd.jspwiki.auth.authorize.JDBCGroupDatabase.initialize(com.ecyrd.jspwiki.WikiEngine;java.util.Properties):void > Type: Vulnerability.AppDOS.ConnectionClose > Severity: Medium > Classification: Vulnerability > File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\authorize\JDBCGroupDatabase.java > Line / Col: 367 / 0 > Context: conn . java.sql.Connection.close () > ----------------------------------- > Name: com.ecyrd.jspwiki.auth.user.JDBCUserDatabase.initialize(com.ecyrd.jspwiki.WikiEngine;java.util.Properties):void > Type: Vulnerability.AppDOS.ConnectionClose > Severity: Medium > Classification: Vulnerability > File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\user\JDBCUserDatabase.java > Line / Col: 412 / 0 > Context: conn . java.sql.Connection.close () > ----------------------------------- -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira