Donald Kwakkel created CMIS-942:
-----------------------------------
Summary: System Information Leak
Key: CMIS-942
URL: https://issues.apache.org/jira/browse/CMIS-942
Project: Chemistry
Issue Type: Bug
Components: opencmis-client
Affects Versions: OpenCMIS 0.13.0
Reporter: Donald Kwakkel
The function writeJSONString() in JSONValue.java might reveal system data or
debugging information by calling write() on line 119. The information revealed
by write() could help an adversary form a plan of attack. It is called from
CmisBrowserBindingServlet.printError.
Explanation:
An external information leak occurs when system data or debugging information
leaves the program to a remote machine via a socket or network connection.
External leaks can help an attacker by revealing specific data about operating
systems, full pathnames, the existence of usernames, or locations of
configuration files, and are more serious than internal information leaks which
are more difficult for an attacker to access.
Solution: Only log stacktrace and do not return it in json.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
