Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    Information Leakage in URLDecoder

    Hi,

    We have the following report from security team:

    Information Leakage in Isomorphic:

    1. Append %uf to your URL

    2. User sees the following in the browser:

    java.lang.NumberFormatException: For input string: "uf"
    at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
    at java.lang.Integer.parseInt(Integer.java:580)
    at com.isomorphic.servlet.URLDecoder.decode(ServletTools.java:2203)
    at com.isomorphic.servlet.ServletTools.getInitialRequestURI(ServletTools.java:2087)
    at com.isomorphic.servlet.URIRegexFilter._doFilter(URIRegexFilter.java:274)
    at com.isomorphic.servlet.BaseFilter.doFilter(BaseFilter.java:93)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
    at com.isomorphic.servlet.CompressionFilter._doFilter(CompressionFilter.java:260)
    at com.isomorphic.servlet.BaseFilter.doFilter(BaseFilter.java:93)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
    at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:32)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3701)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3667)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:326)
    at weblogic.security.service.SecurityManager.runAsForUserCode(SecurityManager.java:197)
    at weblogic.servlet.provider.WlsSecurityProvider.runAsForUserCode(WlsSecurityProvider.java:203)
    at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:71)
    at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2443)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2291)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2269)
    at weblogic.servlet.internal.ServletRequestImpl.runInternal(ServletRequestImpl.java:1705)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1665)
    at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:272)
    at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:352)
    at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:337)
    at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:57)
    at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
    at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:644)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:415)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:355)

    3. Is is possible to not push exception stack to the client?


    Thanks!



    #2
    Yes, you can globally disable this type of reporting by setting this flag in your server.properties:

    Code:
    servlet.sendStackTraceToClient: false

    Comment


      #3
      This works.

      Thanks!

      Comment


        #4
        Hi Isomorphic,

        I was looking for this one as I remembered that I read it before and that I had the same question once. My old thread is here.
        I did not find any information on this in the docs. If this is true, can you add it?

        Also a servlet.sendStackTraceToClient: true, which seems to be the default, would be good in BuiltInDS and other samples, IMHO.

        Best regards
        Blama

        Comment

        Working...
        X