Announcement
Collapse
No announcement yet.
X
-
There's a framework setting servlet.sendStackTraceToClient controlling this documented in BaseServlet javadoc. It will also be mentioned in Error Handling Overview to make it easier to find.
-
Hi Isomorphic,
one could infer from your #4 that you treat stack traces returned from IDACall (or any of your servlets) as issues. Is this correct?
Best regards
Blama
Leave a comment:
-
Yes, the fix is available in the 12.1p since Jan 9 build and it is back-ported to 10.0 as well.
Regarding the NPE, we were just about to announce end-of-life for 10.0 as it is now 6.5 years old, so please upgrade and let us know if this issue is still there.
Leave a comment:
-
Thanks for the response.. We are planning to upgrade to our libraries to 12.1. is
https://www.smartclient.com/builds/S...ise/2021-01-09 contain the fix for this ? Also is this a supported version ?
Regarding NPE,
Exceptions information leak in MyFileGateway. (webapp UI)
The endpoint /myfilegateway/isomorphic/IDACall is exposed on the internet
By sending a crafted request, an uncaught exception in the web application which will return an execution stack trace to the remote user.
The Issue - can be reproduced using Burp Tool.
Here is the request and response:
POST /<removed>/isomorphic/IDACall?isc_rpc=1 HTTP/1.1
Host: <removed>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 876
Referer: <removed>
_transaction=<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance"
xsi:type="xsd:Object">REMOVED</transaction>&protocolVersion=1.0
## Response
HTTP/1.1 200 OK
Date: Mon, 14 Dec 2020 10:00:54 GMT
X-FRAME-OPTIONS: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
Cache-Control: no-cache, no-store, private, must-revalidate, max-age=0
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html
Server: HTTP Server
Set-Cookie: JSESSIONID=<removed>;Path=/<removed>;Secure;HttpOnly
Content-Length: 3500
isc.logWarn("java.lang.NullPointerException\n\tat
com.isomorphic.datasource.DSRequest.parseUploadedFiles(DSRequest.java:781)\n\tat
com.isomorphic.datasource.DSRequest.<init>(DSRequest.java:676)\n\tat
com.isomorphic.rpc.RPCManager.parseRequest(RPCManager.java:2439)\n\tat
com.isomorphic.rpc.RPCManager.<init>(RPCManager.java:333)\n\tat
com.isomorphic.rpc.RPCManager.<init>(RPCManager.java:313)\n\tat
com.isomorphic.servlet.IDACall.processRequest(IDACall.java:147)\n\tat
com.isomorphic.servlet.IDACall._processRequest(IDACall.java:117)\n\tat
com.isomorphic.servlet.IDACall.doPost(IDACall.java:76)\n\tat
javax.servlet.http.HttpServlet.service(HttpServlet.java:713)\n\tat
com.isomorphic.servlet.BaseServlet.service(BaseServlet.java:156)\n\tat
javax.servlet.http.HttpServlet.service(HttpServlet.java:806)\n\tat
org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)\n\tat
Leave a comment:
-
Exposing full path issue (#1) is fixed and will be available for download in nightly builds since Jan 9 (tomorrow).
As for the NPE issue (#2), in order to address it we need more details. Ideally standalone test case or just enough details for us to reproduce this issue. Thank you.
Leave a comment:
-
Security Vulenrability reported with SmartClient_10_0_Enterprise version
Hi,
Security vulnerability - Full path disclosure on MyFileGateway.
The endpoint /myfilegateway/isomorphic/IDACall is exposed on the Internet on URL https://qua-hipmft-emea.loreal.net:6443
By sending a crafted request with an invalid dataSource parameter, the application leaks a valid filepath on the server.
Response
HTTP/1.1 200 OK
Date: Mon, 14 Dec 2020 10:26:40 GMT
X-FRAME-OPTIONS: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
Cache-Control: no-cache, no-store, private, must-revalidate, max-age=0
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/plain;charset=utf-8
Server: HTTP Server
Set-Cookie: JSESSIONID=zp9detwq58xm1hwkzkq76nzbp;Path=/myfilegateway;Secure;HttpOnly
Content-Length: 337
//isc_RPCResponseStart-->[ {affectedRows:0,data:"Can't find dataSource: test_path - please make sure that you have a test_path.ds.xml file for it in one of these locations: [/data/master/IBM/si/install/tmp/local_node1_63021_1423482803/webapp/shared/] ds",invalidateCache:false,isDSResponse:true,queueStatus:-1,status:-1}
]//isc_RPCResponseEnd
Issue 2:
Security vulnerability - Exceptions information leak in MyFileGateway.
Exceptions information leak in MyFileGateway.
The endpoint /myfilegateway/isomorphic/IDACall is exposed on the internet on URLhttps://qua-hipmft-emea.loreal.net:6443.
By sending a crafted request, an uncaught exception in the web application which will return an execution stack trace to the remote user.
We see following NPE coming from smartclient library.
They need to fix this NPE.
Tags: None
Leave a comment: