Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

  • Information Leakage in URLDecoder

    Hi,

    We have the following report from security team:

    Information Leakage in Isomorphic:

    1. Append %uf to your URL

    2. User sees the following in the browser:

    java.lang.NumberFormatException: For input string: "uf"
    at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
    at java.lang.Integer.parseInt(Integer.java:580)
    at com.isomorphic.servlet.URLDecoder.decode(ServletTools.java:2203)
    at com.isomorphic.servlet.ServletTools.getInitialRequestURI(ServletTools.java:2087)
    at com.isomorphic.servlet.URIRegexFilter._doFilter(URIRegexFilter.java:274)
    at com.isomorphic.servlet.BaseFilter.doFilter(BaseFilter.java:93)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
    at com.isomorphic.servlet.CompressionFilter._doFilter(CompressionFilter.java:260)
    at com.isomorphic.servlet.BaseFilter.doFilter(BaseFilter.java:93)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
    at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:32)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3701)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3667)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:326)
    at weblogic.security.service.SecurityManager.runAsForUserCode(SecurityManager.java:197)
    at weblogic.servlet.provider.WlsSecurityProvider.runAsForUserCode(WlsSecurityProvider.java:203)
    at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:71)
    at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2443)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2291)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2269)
    at weblogic.servlet.internal.ServletRequestImpl.runInternal(ServletRequestImpl.java:1705)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1665)
    at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:272)
    at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:352)
    at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:337)
    at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:57)
    at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
    at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:644)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:415)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:355)

    3. Is is possible to not push exception stack to the client?


    Thanks!



  • #2
    Yes, you can globally disable this type of reporting by setting this flag in your server.properties:

    Code:
    servlet.sendStackTraceToClient: false

    Comment


    • #3
      This works.

      Thanks!

      Comment

      Working...
      X