Univention Bugzilla – Bug 45395
UMC exposes exception stack traces
Last modified: 2018-01-29 17:14:01 CET
We should unify the error handling and add a configuration option which causes that no stack traces are presented to the frontend user.
RISK CLASS ==================== Misconfiguration BUSINESS RISK ==================== This ticket does not introduce a vulnerability by itself. The headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers. This facilitates further steps. DESCRIPTION ==================== The remote application does not properly handle application errors, and application stacktraces are displayed to the end user leading to information disclosure vulnerability. REMEDIATION ================= 1) Implement a standard exception handling mechanism to intercept all errors. 2) Ensure that version of the used framework and web server are not being exposed. PRECONDITION ============== n/a PROOF OF CONCEPT ==================== Request: PUT /univention/"><s>"}<get/session-info?debug=1 HTTP/1.1 Host: dc-dev-01.xxxx.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json; q=1.0, text/html; q=0.3; */*; q=0.1 Accept-Language: de-DE;charset=0x00 Accept-Encoding: gzip, deflate Referer: https://dc-dev-01.xxxx.com/univention/%22%7C%7C Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Connection: close Content-Length: 1 %3d%a9 Response HTTP/1.1 400 Bad Request Date: Mon, 04 Dec 2017 13:56:18 GMT Server: CherryPy/3.5.0 X-Permitted-Cross-Domain-Policies: master-only X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: DENY Content-Length: 878 Content-Type: application/json Via: 1.1 dc-dev-01.xxxx.com Connection: close {"status": 400, "message": "The request entity could not be decoded. The following charsets were attempted: ['utf-8']\n\nTraceback (most recent call last):\n File \"/usr/lib/python2.7/dist-packages/cherrypy/_cprequest.py\", line 663, in respond\n self.body.process()\n File \"/usr/lib/python2.7/dist-packages/cherrypy/_cpreqbody.py\", line 996, in process\n super(RequestBody, self).process()\n File \"/usr/lib/python2.7/dist-packages/cherrypy/_cpreqbody.py\", line 540, in process\n proc(self)\n File \"/usr/lib/python2.7/dist-packages/cherrypy/_cpreqbody.py\", line 173, in process_urlencoded\n \"charsets were attempted: %s\" % repr(entity.attempt_charsets))\nHTTPError: (400, \"The request entity could not be decoded. The following charsets were attempted: ['utf-8']\")\n", "location": "https://dc-dev-01.xxxx.com/univention/\"><s>\"}<get"}
4.2-3 univention-management-console (9.0.80-87): dd891aa Bug #45395: a ucr variable that removes stack traces from messages in error case has been added ed34cc5 Bug #45395: Add debian changelog entry 761d3c7 Bug #45395: Add YAML entry e71cd3d Bug #45395: Merge branch 'jkeiser/bug_45395__umc_esposes_stack_traces' into 4.2-3 0f8d0b3 Bug #45395: YAML - update version 4.3 univention-management-console (10.0.0-3): c4b8adc Bug #45395: a ucr variable that removes stack traces from messages in error case has been added a743b7a Bug #45395: Add debian changelog entry
4.2-3 univention-web (1.0.42-66): fb0622f Bug #45395: Debian changelog entry 2d9782b Bug #45395: Add YAML file 3211753 Bug #45395: YAML - update version 4.3 univention-web (2.0.0-3): 94dcf6b Bug #45395: Debian changelog entry
OK: exceptions are now hidden in the UMC-Webserver if UCR variable umc/http/show_tracebacks is set to false. OK: YAML
<http://errata.software-univention.de/ucs/4.2/271.html> <http://errata.software-univention.de/ucs/4.2/272.html>