[
https://issues.apache.org/jira/browse/CMIS-942?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14709100#comment-14709100
]
Donald Kwakkel edited comment on CMIS-942 at 8/24/15 11:07 AM:
---------------------------------------------------------------
Thanks, we will add this to our security guidelines.
ps: Because of security by default I myself would prefer the default the other
way around.
was (Author: dkwakkel):
Thanks, we will add this to our security guidelines.
> System Information Leak
> -----------------------
>
> Key: CMIS-942
> URL: https://issues.apache.org/jira/browse/CMIS-942
> Project: Chemistry
> Issue Type: Bug
> Components: opencmis-client
> Affects Versions: OpenCMIS 0.13.0
> Reporter: Donald Kwakkel
>
> The function writeJSONString() in JSONValue.java might reveal system data or
> debugging information by calling write() on line 119. The information
> revealed by write() could help an adversary form a plan of attack. It is
> called from CmisBrowserBindingServlet.printError.
> Explanation:
> An external information leak occurs when system data or debugging information
> leaves the program to a remote machine via a socket or network connection.
> External leaks can help an attacker by revealing specific data about
> operating systems, full pathnames, the existence of usernames, or locations
> of configuration files, and are more serious than internal information leaks
> which are more difficult for an attacker to access.
> Solution: Only log stacktrace and do not return it in json.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
