Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

  • Isomorphic
    replied
    There's a framework setting servlet.sendStackTraceToClient controlling this documented in BaseServlet javadoc. It will also be mentioned in Error Handling Overview to make it easier to find.

    Leave a comment:


  • Blama
    replied
    Hi Isomorphic,

    one could infer from your #4 that you treat stack traces returned from IDACall (or any of your servlets) as issues. Is this correct?

    Best regards
    Blama

    Leave a comment:


  • Isomorphic
    replied
    Yes, the fix is available in the 12.1p since Jan 9 build and it is back-ported to 10.0 as well.

    Regarding the NPE, we were just about to announce end-of-life for 10.0 as it is now 6.5 years old, so please upgrade and let us know if this issue is still there.

    Leave a comment:


  • rashmiachar86
    replied
    Thanks for the response.. We are planning to upgrade to our libraries to 12.1. is
    https://www.smartclient.com/builds/S...ise/2021-01-09 contain the fix for this ? Also is this a supported version ?


    Regarding NPE,

    Exceptions information leak in MyFileGateway. (webapp UI)
    The endpoint /myfilegateway/isomorphic/IDACall is exposed on the internet
    By sending a crafted request, an uncaught exception in the web application which will return an execution stack trace to the remote user.

    The Issue - can be reproduced using Burp Tool.

    Here is the request and response:

    POST /<removed>/isomorphic/IDACall?isc_rpc=1 HTTP/1.1
    Host: <removed>

    Content-Type: application/x-www-form-urlencoded; charset=UTF-8

    Content-Length: 876

    Referer: <removed>




    _transaction=<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance"

    xsi:type="xsd:Object">REMOVED</transaction>&protocolVersion=1.0







    ## Response

    HTTP/1.1 200 OK


    Date: Mon, 14 Dec 2020 10:00:54 GMT

    X-FRAME-OPTIONS: SAMEORIGIN

    X-Content-Type-Options: nosniff

    X-Content-Type-Options: nosniff

    Cache-Control: no-cache, no-store, private, must-revalidate, max-age=0

    Pragma: no-cache

    Expires: Thu, 01 Jan 1970 00:00:00 GMT

    Content-Type: text/html

    Server: HTTP Server

    Set-Cookie: JSESSIONID=<removed>;Path=/<removed>;Secure;HttpOnly

    Content-Length: 3500

    isc.logWarn("java.lang.NullPointerException\n\tat

    com.isomorphic.datasource.DSRequest.parseUploadedFiles(DSRequest.java:781)\n\tat

    com.isomorphic.datasource.DSRequest.<init>(DSRequest.java:676)\n\tat

    com.isomorphic.rpc.RPCManager.parseRequest(RPCManager.java:2439)\n\tat

    com.isomorphic.rpc.RPCManager.<init>(RPCManager.java:333)\n\tat

    com.isomorphic.rpc.RPCManager.<init>(RPCManager.java:313)\n\tat

    com.isomorphic.servlet.IDACall.processRequest(IDACall.java:147)\n\tat

    com.isomorphic.servlet.IDACall._processRequest(IDACall.java:117)\n\tat

    com.isomorphic.servlet.IDACall.doPost(IDACall.java:76)\n\tat

    javax.servlet.http.HttpServlet.service(HttpServlet.java:713)\n\tat

    com.isomorphic.servlet.BaseServlet.service(BaseServlet.java:156)\n\tat

    javax.servlet.http.HttpServlet.service(HttpServlet.java:806)\n\tat

    org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)\n\tat



    Leave a comment:


  • Isomorphic
    replied
    Exposing full path issue (#1) is fixed and will be available for download in nightly builds since Jan 9 (tomorrow).

    As for the NPE issue (#2), in order to address it we need more details. Ideally standalone test case or just enough details for us to reproduce this issue. Thank you.

    Leave a comment:


  • Security Vulenrability reported with SmartClient_10_0_Enterprise version

    Hi,


    Security vulnerability - Full path disclosure on MyFileGateway.


    The endpoint /myfilegateway/isomorphic/IDACall is exposed on the Internet on URL https://qua-hipmft-emea.loreal.net:6443
    By sending a crafted request with an invalid dataSource parameter, the application leaks a valid filepath on the server.


    Response
    HTTP/1.1 200 OK
    Date: Mon, 14 Dec 2020 10:26:40 GMT
    X-FRAME-OPTIONS: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-Content-Type-Options: nosniff
    Cache-Control: no-cache, no-store, private, must-revalidate, max-age=0
    Pragma: no-cache
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Content-Type: text/plain;charset=utf-8
    Server: HTTP Server
    Set-Cookie: JSESSIONID=zp9detwq58xm1hwkzkq76nzbp;Path=/myfilegateway;Secure;HttpOnly
    Content-Length: 337
    //isc_RPCResponseStart-->[ {affectedRows:0,data:"Can't find dataSource: test_path - please make sure that you have a test_path.ds.xml file for it in one of these locations: [/data/master/IBM/si/install/tmp/local_node1_63021_1423482803/webapp/shared/] ds",invalidateCache:false,isDSResponse:true,queueStatus:-1,status:-1}
    ]//isc_RPCResponseEnd





    Issue 2:

    Security vulnerability - Exceptions information leak in MyFileGateway.





    Exceptions information leak in MyFileGateway.
    The endpoint /myfilegateway/isomorphic/IDACall is exposed on the internet on URLhttps://qua-hipmft-emea.loreal.net:6443.
    By sending a crafted request, an uncaught exception in the web application which will return an execution stack trace to the remote user.





    We see following NPE coming from smartclient library.





    They need to fix this NPE.




    Attached Files
Working...
X