Bug 45395 - UMC exposes exception stack traces
UMC exposes exception stack traces
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Johannes Keiser
Florian Best
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-14 10:59 CEST by Florian Best
Modified: 2018-01-29 17:14 CET (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2017120521000059
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-09-14 10:59:03 CEST
We should unify the error handling and add a configuration option which causes that no stack traces are presented to the frontend user.
Comment 1 Florian Best univentionstaff 2017-12-07 13:31:47 CET
RISK CLASS
====================
Misconfiguration

BUSINESS RISK
====================
This ticket does not introduce a vulnerability by itself. The headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers. This facilitates further steps.

DESCRIPTION
====================
The remote application does not properly handle application errors, and application stacktraces are displayed to the end user leading to information disclosure vulnerability.

REMEDIATION
=================
1) Implement a standard exception handling mechanism to intercept all errors.
2) Ensure that version of the used framework and web server are not being exposed.

PRECONDITION
==============
n/a

PROOF OF CONCEPT
====================
Request:

PUT /univention/"><s>"}<get/session-info?debug=1 HTTP/1.1
Host: dc-dev-01.xxxx.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: application/json; q=1.0, text/html; q=0.3; */*; q=0.1
Accept-Language: de-DE;charset=0x00
Accept-Encoding: gzip, deflate
Referer: https://dc-dev-01.xxxx.com/univention/%22%7C%7C
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Connection: close
Content-Length: 1
 
%3d%a9

Response

HTTP/1.1 400 Bad Request
Date: Mon, 04 Dec 2017 13:56:18 GMT
Server: CherryPy/3.5.0
X-Permitted-Cross-Domain-Policies: master-only
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Length: 878
Content-Type: application/json
Via: 1.1 dc-dev-01.xxxx.com
Connection: close

{"status": 400, "message": "The request entity could not be decoded. The following charsets were attempted: ['utf-8']\n\nTraceback (most recent call last):\n  File \"/usr/lib/python2.7/dist-packages/cherrypy/_cprequest.py\", line 663, in respond\n    self.body.process()\n  File \"/usr/lib/python2.7/dist-packages/cherrypy/_cpreqbody.py\", line 996, in process\n    super(RequestBody, self).process()\n  File \"/usr/lib/python2.7/dist-packages/cherrypy/_cpreqbody.py\", line 540, in process\n    proc(self)\n  File \"/usr/lib/python2.7/dist-packages/cherrypy/_cpreqbody.py\", line 173, in process_urlencoded\n    \"charsets were attempted: %s\" % repr(entity.attempt_charsets))\nHTTPError: (400, \"The request entity could not be decoded. The following charsets were attempted: ['utf-8']\")\n", "location": "https://dc-dev-01.xxxx.com/univention/\"><s>\"}<get"}
Comment 2 Johannes Keiser univentionstaff 2017-12-20 17:23:16 CET
4.2-3
univention-management-console (9.0.80-87):

dd891aa Bug #45395: a ucr variable that removes stack traces from messages in error case has been added
ed34cc5 Bug #45395: Add debian changelog entry
761d3c7 Bug #45395: Add YAML entry
e71cd3d Bug #45395: Merge branch 'jkeiser/bug_45395__umc_esposes_stack_traces' into 4.2-3
0f8d0b3 Bug #45395: YAML - update version

4.3
univention-management-console (10.0.0-3):

c4b8adc Bug #45395: a ucr variable that removes stack traces from messages in error case has been added
a743b7a Bug #45395: Add debian changelog entry
Comment 3 Johannes Keiser univentionstaff 2017-12-20 17:46:56 CET
4.2-3

univention-web (1.0.42-66):

fb0622f Bug #45395: Debian changelog entry
2d9782b Bug #45395: Add YAML file
3211753 Bug #45395: YAML - update version

4.3

univention-web (2.0.0-3):

94dcf6b Bug #45395: Debian changelog entry
Comment 4 Florian Best univentionstaff 2018-01-11 14:44:54 CET
OK: exceptions are now hidden in the UMC-Webserver if UCR variable umc/http/show_tracebacks is set to false.
OK: YAML