Univention Bugzilla – Full Text Bug Listing |
Summary: | UMC exposes exception stack traces | ||
---|---|---|---|
Product: | UCS | Reporter: | Florian Best <best> |
Component: | UMC (Generic) | Assignee: | Johannes Keiser <keiser> |
Status: | CLOSED FIXED | QA Contact: | Florian Best <best> |
Severity: | normal | ||
Priority: | P5 | CC: | stoeckigt |
Version: | UCS 4.2 | ||
Target Milestone: | UCS 4.2-3-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=45393 | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | Yes | |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2017120521000059 | Bug group (optional): | |
Max CVSS v3 score: |
Description
Florian Best
2017-09-14 10:59:03 CEST
RISK CLASS ==================== Misconfiguration BUSINESS RISK ==================== This ticket does not introduce a vulnerability by itself. The headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers. This facilitates further steps. DESCRIPTION ==================== The remote application does not properly handle application errors, and application stacktraces are displayed to the end user leading to information disclosure vulnerability. REMEDIATION ================= 1) Implement a standard exception handling mechanism to intercept all errors. 2) Ensure that version of the used framework and web server are not being exposed. PRECONDITION ============== n/a PROOF OF CONCEPT ==================== Request: PUT /univention/"><s>"}<get/session-info?debug=1 HTTP/1.1 Host: dc-dev-01.xxxx.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json; q=1.0, text/html; q=0.3; */*; q=0.1 Accept-Language: de-DE;charset=0x00 Accept-Encoding: gzip, deflate Referer: https://dc-dev-01.xxxx.com/univention/%22%7C%7C Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Connection: close Content-Length: 1 %3d%a9 Response HTTP/1.1 400 Bad Request Date: Mon, 04 Dec 2017 13:56:18 GMT Server: CherryPy/3.5.0 X-Permitted-Cross-Domain-Policies: master-only X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: DENY Content-Length: 878 Content-Type: application/json Via: 1.1 dc-dev-01.xxxx.com Connection: close {"status": 400, "message": "The request entity could not be decoded. The following charsets were attempted: ['utf-8']\n\nTraceback (most recent call last):\n File \"/usr/lib/python2.7/dist-packages/cherrypy/_cprequest.py\", line 663, in respond\n self.body.process()\n File \"/usr/lib/python2.7/dist-packages/cherrypy/_cpreqbody.py\", line 996, in process\n super(RequestBody, self).process()\n File \"/usr/lib/python2.7/dist-packages/cherrypy/_cpreqbody.py\", line 540, in process\n proc(self)\n File \"/usr/lib/python2.7/dist-packages/cherrypy/_cpreqbody.py\", line 173, in process_urlencoded\n \"charsets were attempted: %s\" % repr(entity.attempt_charsets))\nHTTPError: (400, \"The request entity could not be decoded. The following charsets were attempted: ['utf-8']\")\n", "location": "https://dc-dev-01.xxxx.com/univention/\"><s>\"}<get"} 4.2-3 univention-management-console (9.0.80-87): dd891aa Bug #45395: a ucr variable that removes stack traces from messages in error case has been added ed34cc5 Bug #45395: Add debian changelog entry 761d3c7 Bug #45395: Add YAML entry e71cd3d Bug #45395: Merge branch 'jkeiser/bug_45395__umc_esposes_stack_traces' into 4.2-3 0f8d0b3 Bug #45395: YAML - update version 4.3 univention-management-console (10.0.0-3): c4b8adc Bug #45395: a ucr variable that removes stack traces from messages in error case has been added a743b7a Bug #45395: Add debian changelog entry 4.2-3 univention-web (1.0.42-66): fb0622f Bug #45395: Debian changelog entry 2d9782b Bug #45395: Add YAML file 3211753 Bug #45395: YAML - update version 4.3 univention-web (2.0.0-3): 94dcf6b Bug #45395: Debian changelog entry OK: exceptions are now hidden in the UMC-Webserver if UCR variable umc/http/show_tracebacks is set to false. OK: YAML |