Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    Security Vulenrability reported with SmartClient_10_0_Enterprise version

    Hi,


    Security vulnerability - Full path disclosure on MyFileGateway.


    The endpoint /myfilegateway/isomorphic/IDACall is exposed on the Internet on URL https://qua-hipmft-emea.loreal.net:6443
    By sending a crafted request with an invalid dataSource parameter, the application leaks a valid filepath on the server.


    Response
    HTTP/1.1 200 OK
    Date: Mon, 14 Dec 2020 10:26:40 GMT
    X-FRAME-OPTIONS: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-Content-Type-Options: nosniff
    Cache-Control: no-cache, no-store, private, must-revalidate, max-age=0
    Pragma: no-cache
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Content-Type: text/plain;charset=utf-8
    Server: HTTP Server
    Set-Cookie: JSESSIONID=zp9detwq58xm1hwkzkq76nzbp;Path=/myfilegateway;Secure;HttpOnly
    Content-Length: 337
    //isc_RPCResponseStart-->[ {affectedRows:0,data:"Can't find dataSource: test_path - please make sure that you have a test_path.ds.xml file for it in one of these locations: [/data/master/IBM/si/install/tmp/local_node1_63021_1423482803/webapp/shared/] ds",invalidateCache:false,isDSResponse:true,queueStatus:-1,status:-1}
    ]//isc_RPCResponseEnd





    Issue 2:

    Security vulnerability - Exceptions information leak in MyFileGateway.





    Exceptions information leak in MyFileGateway.
    The endpoint /myfilegateway/isomorphic/IDACall is exposed on the internet on URLhttps://qua-hipmft-emea.loreal.net:6443.
    By sending a crafted request, an uncaught exception in the web application which will return an execution stack trace to the remote user.





    We see following NPE coming from smartclient library.





    They need to fix this NPE.




    Attached Files

    #2
    Exposing full path issue (#1) is fixed and will be available for download in nightly builds since Jan 9 (tomorrow).

    As for the NPE issue (#2), in order to address it we need more details. Ideally standalone test case or just enough details for us to reproduce this issue. Thank you.

    Comment


      #3
      Thanks for the response.. We are planning to upgrade to our libraries to 12.1. is
      https://www.smartclient.com/builds/S...ise/2021-01-09 contain the fix for this ? Also is this a supported version ?


      Regarding NPE,

      Exceptions information leak in MyFileGateway. (webapp UI)
      The endpoint /myfilegateway/isomorphic/IDACall is exposed on the internet
      By sending a crafted request, an uncaught exception in the web application which will return an execution stack trace to the remote user.

      The Issue - can be reproduced using Burp Tool.

      Here is the request and response:

      POST /<removed>/isomorphic/IDACall?isc_rpc=1 HTTP/1.1
      Host: <removed>

      Content-Type: application/x-www-form-urlencoded; charset=UTF-8

      Content-Length: 876

      Referer: <removed>




      _transaction=<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance"

      xsi:type="xsd:Object">REMOVED</transaction>&protocolVersion=1.0







      ## Response

      HTTP/1.1 200 OK


      Date: Mon, 14 Dec 2020 10:00:54 GMT

      X-FRAME-OPTIONS: SAMEORIGIN

      X-Content-Type-Options: nosniff

      X-Content-Type-Options: nosniff

      Cache-Control: no-cache, no-store, private, must-revalidate, max-age=0

      Pragma: no-cache

      Expires: Thu, 01 Jan 1970 00:00:00 GMT

      Content-Type: text/html

      Server: HTTP Server

      Set-Cookie: JSESSIONID=<removed>;Path=/<removed>;Secure;HttpOnly

      Content-Length: 3500

      isc.logWarn("java.lang.NullPointerException\n\tat

      com.isomorphic.datasource.DSRequest.parseUploadedFiles(DSRequest.java:781)\n\tat

      com.isomorphic.datasource.DSRequest.<init>(DSRequest.java:676)\n\tat

      com.isomorphic.rpc.RPCManager.parseRequest(RPCManager.java:2439)\n\tat

      com.isomorphic.rpc.RPCManager.<init>(RPCManager.java:333)\n\tat

      com.isomorphic.rpc.RPCManager.<init>(RPCManager.java:313)\n\tat

      com.isomorphic.servlet.IDACall.processRequest(IDACall.java:147)\n\tat

      com.isomorphic.servlet.IDACall._processRequest(IDACall.java:117)\n\tat

      com.isomorphic.servlet.IDACall.doPost(IDACall.java:76)\n\tat

      javax.servlet.http.HttpServlet.service(HttpServlet.java:713)\n\tat

      com.isomorphic.servlet.BaseServlet.service(BaseServlet.java:156)\n\tat

      javax.servlet.http.HttpServlet.service(HttpServlet.java:806)\n\tat

      org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)\n\tat



      Comment


        #4
        Yes, the fix is available in the 12.1p since Jan 9 build and it is back-ported to 10.0 as well.

        Regarding the NPE, we were just about to announce end-of-life for 10.0 as it is now 6.5 years old, so please upgrade and let us know if this issue is still there.

        Comment


          #5
          Hi Isomorphic,

          one could infer from your #4 that you treat stack traces returned from IDACall (or any of your servlets) as issues. Is this correct?

          Best regards
          Blama

          Comment


            #6
            There's a framework setting servlet.sendStackTraceToClient controlling this documented in BaseServlet javadoc. It will also be mentioned in Error Handling Overview to make it easier to find.

            Comment

            Working...
            X