Bug 45395

Comment 1 Florian Best 2017-12-07 13:31:47 CET

RISK CLASS
====================
Misconfiguration

BUSINESS RISK
====================
This ticket does not introduce a vulnerability by itself. The headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers. This facilitates further steps.

DESCRIPTION
====================
The remote application does not properly handle application errors, and application stacktraces are displayed to the end user leading to information disclosure vulnerability.

REMEDIATION
=================
1) Implement a standard exception handling mechanism to intercept all errors.
2) Ensure that version of the used framework and web server are not being exposed.

PRECONDITION
==============
n/a

PROOF OF CONCEPT
====================
Request:

PUT /univention/"><s>"}<get/session-info?debug=1 HTTP/1.1
Host: dc-dev-01.xxxx.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: application/json; q=1.0, text/html; q=0.3; */*; q=0.1
Accept-Language: de-DE;charset=0x00
Accept-Encoding: gzip, deflate
Referer: https://dc-dev-01.xxxx.com/univention/%22%7C%7C
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Connection: close
Content-Length: 1
 
%3d%a9

Response

HTTP/1.1 400 Bad Request
Date: Mon, 04 Dec 2017 13:56:18 GMT
Server: CherryPy/3.5.0
X-Permitted-Cross-Domain-Policies: master-only
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Length: 878
Content-Type: application/json
Via: 1.1 dc-dev-01.xxxx.com
Connection: close

{"status": 400, "message": "The request entity could not be decoded. The following charsets were attempted: ['utf-8']\n\nTraceback (most recent call last):\n  File \"/usr/lib/python2.7/dist-packages/cherrypy/_cprequest.py\", line 663, in respond\n    self.body.process()\n  File \"/usr/lib/python2.7/dist-packages/cherrypy/_cpreqbody.py\", line 996, in process\n    super(RequestBody, self).process()\n  File \"/usr/lib/python2.7/dist-packages/cherrypy/_cpreqbody.py\", line 540, in process\n    proc(self)\n  File \"/usr/lib/python2.7/dist-packages/cherrypy/_cpreqbody.py\", line 173, in process_urlencoded\n    \"charsets were attempted: %s\" % repr(entity.attempt_charsets))\nHTTPError: (400, \"The request entity could not be decoded. The following charsets were attempted: ['utf-8']\")\n", "location": "https://dc-dev-01.xxxx.com/univention/\"><s>\"}<get"}

Comment 2 Johannes Keiser 2017-12-20 17:23:16 CET

4.2-3
univention-management-console (9.0.80-87):

dd891aa Bug #45395: a ucr variable that removes stack traces from messages in error case has been added
ed34cc5 Bug #45395: Add debian changelog entry
761d3c7 Bug #45395: Add YAML entry
e71cd3d Bug #45395: Merge branch 'jkeiser/bug_45395__umc_esposes_stack_traces' into 4.2-3
0f8d0b3 Bug #45395: YAML - update version

4.3
univention-management-console (10.0.0-3):

c4b8adc Bug #45395: a ucr variable that removes stack traces from messages in error case has been added
a743b7a Bug #45395: Add debian changelog entry

Comment 3 Johannes Keiser 2017-12-20 17:46:56 CET

4.2-3

univention-web (1.0.42-66):

fb0622f Bug #45395: Debian changelog entry
2d9782b Bug #45395: Add YAML file
3211753 Bug #45395: YAML - update version

4.3

univention-web (2.0.0-3):

94dcf6b Bug #45395: Debian changelog entry

Comment 4 Florian Best 2018-01-11 14:44:54 CET

OK: exceptions are now hidden in the UMC-Webserver if UCR variable umc/http/show_tracebacks is set to false.
OK: YAML

Comment 5 Arvid Requate 2018-01-29 17:14:01 CET

<http://errata.software-univention.de/ucs/4.2/271.html>
<http://errata.software-univention.de/ucs/4.2/272.html>