Donald Kwakkel created CMIS-942:
-----------------------------------

             Summary: System Information Leak
                 Key: CMIS-942
                 URL: https://issues.apache.org/jira/browse/CMIS-942
             Project: Chemistry
          Issue Type: Bug
          Components: opencmis-client
    Affects Versions: OpenCMIS 0.13.0
            Reporter: Donald Kwakkel


The function writeJSONString() in JSONValue.java might reveal system data or 
debugging information by calling write() on line 119. The information revealed 
by write() could help an adversary form a plan of attack. It is called from 
CmisBrowserBindingServlet.printError.

Explanation:

An external information leak occurs when system data or debugging information 
leaves the program to a remote machine via a socket or network connection.  
External leaks can help an attacker by revealing specific data about operating 
systems, full pathnames, the existence of usernames, or locations of 
configuration files, and are more serious than internal information leaks which 
are more difficult for an attacker to access.

Solution: Only log stacktrace and do not return it in json.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to