[CMIS-942] System Information Leak - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Won't Fix
Affects Version/s: OpenCMIS 0.13.0
Fix Version/s: None
Component/s: opencmis-client
Labels:
None

Description

The function writeJSONString() in JSONValue.java might reveal system data or debugging information by calling write() on line 119. The information revealed by write() could help an adversary form a plan of attack. It is called from CmisBrowserBindingServlet.printError.

Explanation:

An external information leak occurs when system data or debugging information leaves the program to a remote machine via a socket or network connection. External leaks can help an attacker by revealing specific data about operating systems, full pathnames, the existence of usernames, or locations of configuration files, and are more serious than internal information leaks which are more difficult for an attacker to access.

Solution: Only log stacktrace and do not return it in json.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Donald Kwakkel

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 24/Aug/15 09:30

Updated:: 24/Aug/15 11:07

Resolved:: 24/Aug/15 10:00