Bug 45395 - UMC exposes exception stack traces
UMC exposes exception stack traces
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Johannes Keiser
Florian Best
Depends on:
  Show dependency treegraph
Reported: 2017-09-14 10:59 CEST by Florian Best
Modified: 2018-01-29 17:14 CET (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017120521000059
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2017-09-14 10:59:03 CEST
We should unify the error handling and add a configuration option which causes that no stack traces are presented to the frontend user.
Comment 1 Florian Best univentionstaff 2017-12-07 13:31:47 CET

This ticket does not introduce a vulnerability by itself. The headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers. This facilitates further steps.

The remote application does not properly handle application errors, and application stacktraces are displayed to the end user leading to information disclosure vulnerability.

1) Implement a standard exception handling mechanism to intercept all errors.
2) Ensure that version of the used framework and web server are not being exposed.



PUT /univention/"><s>"}<get/session-info?debug=1 HTTP/1.1
Host: dc-dev-01.xxxx.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: application/json; q=1.0, text/html; q=0.3; */*; q=0.1
Accept-Language: de-DE;charset=0x00
Accept-Encoding: gzip, deflate
Referer: https://dc-dev-01.xxxx.com/univention/%22%7C%7C
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Connection: close
Content-Length: 1


HTTP/1.1 400 Bad Request
Date: Mon, 04 Dec 2017 13:56:18 GMT
Server: CherryPy/3.5.0
X-Permitted-Cross-Domain-Policies: master-only
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Length: 878
Content-Type: application/json
Via: 1.1 dc-dev-01.xxxx.com
Connection: close

{"status": 400, "message": "The request entity could not be decoded. The following charsets were attempted: ['utf-8']\n\nTraceback (most recent call last):\n  File \"/usr/lib/python2.7/dist-packages/cherrypy/_cprequest.py\", line 663, in respond\n    self.body.process()\n  File \"/usr/lib/python2.7/dist-packages/cherrypy/_cpreqbody.py\", line 996, in process\n    super(RequestBody, self).process()\n  File \"/usr/lib/python2.7/dist-packages/cherrypy/_cpreqbody.py\", line 540, in process\n    proc(self)\n  File \"/usr/lib/python2.7/dist-packages/cherrypy/_cpreqbody.py\", line 173, in process_urlencoded\n    \"charsets were attempted: %s\" % repr(entity.attempt_charsets))\nHTTPError: (400, \"The request entity could not be decoded. The following charsets were attempted: ['utf-8']\")\n", "location": "https://dc-dev-01.xxxx.com/univention/\"><s>\"}<get"}
Comment 2 Johannes Keiser univentionstaff 2017-12-20 17:23:16 CET
univention-management-console (9.0.80-87):

dd891aa Bug #45395: a ucr variable that removes stack traces from messages in error case has been added
ed34cc5 Bug #45395: Add debian changelog entry
761d3c7 Bug #45395: Add YAML entry
e71cd3d Bug #45395: Merge branch 'jkeiser/bug_45395__umc_esposes_stack_traces' into 4.2-3
0f8d0b3 Bug #45395: YAML - update version

univention-management-console (10.0.0-3):

c4b8adc Bug #45395: a ucr variable that removes stack traces from messages in error case has been added
a743b7a Bug #45395: Add debian changelog entry
Comment 3 Johannes Keiser univentionstaff 2017-12-20 17:46:56 CET

univention-web (1.0.42-66):

fb0622f Bug #45395: Debian changelog entry
2d9782b Bug #45395: Add YAML file
3211753 Bug #45395: YAML - update version


univention-web (2.0.0-3):

94dcf6b Bug #45395: Debian changelog entry
Comment 4 Florian Best univentionstaff 2018-01-11 14:44:54 CET
OK: exceptions are now hidden in the UMC-Webserver if UCR variable umc/http/show_tracebacks is set to false.