You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Florian Holeczek (JIRA)" <ji...@apache.org> on 2011/09/11 01:35:09 UTC

[jira] [Closed] (JSPWIKI-82) Ounce Labs Security Finding: DOS - Database Connection Close MisUse Pattern

     [ https://issues.apache.org/jira/browse/JSPWIKI-82?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Florian Holeczek closed JSPWIKI-82.
-----------------------------------


> Ounce Labs Security Finding: DOS - Database Connection Close MisUse Pattern 
> ----------------------------------------------------------------------------
>
>                 Key: JSPWIKI-82
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-82
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Authentication&Authorization
>    Affects Versions: 2.4.104
>            Reporter: Cristian Borlovan
>            Assignee: Andrew Jaquith
>             Fix For: 2.6.0
>
>         Attachments: report.pdf
>
>
> Description: 
> The application does not close its database connections properly.  Typical best practices indicate the try/catch/finally pattern, where the close connections are in the finally block.
> Recommendation: 
> Follow the appropriate database connection close pattern to avoid potential DOS vectors.
> Related Code Locations: 
> 4 findings:
>   Name:           com.ecyrd.jspwiki.auth.authorize.JDBCGroupDatabase.initialize(com.ecyrd.jspwiki.WikiEngine;java.util.Properties):void
>   Type:           Vulnerability.AppDOS.ConnectionClose
>   Severity:       Medium
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\authorize\JDBCGroupDatabase.java
>   Line / Col:     387 / 0
>   Context:        conn . java.sql.Connection.close ()
>      -----------------------------------
>   Name:           com.ecyrd.jspwiki.auth.user.JDBCUserDatabase.initialize(com.ecyrd.jspwiki.WikiEngine;java.util.Properties):void
>   Type:           Vulnerability.AppDOS.ConnectionClose
>   Severity:       Medium
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\user\JDBCUserDatabase.java
>   Line / Col:     432 / 0
>   Context:        conn . java.sql.Connection.close ()
>   Notes:	  Description: 
>    -----------------------------------
>   Name:           com.ecyrd.jspwiki.auth.authorize.JDBCGroupDatabase.initialize(com.ecyrd.jspwiki.WikiEngine;java.util.Properties):void
>   Type:           Vulnerability.AppDOS.ConnectionClose
>   Severity:       Medium
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\authorize\JDBCGroupDatabase.java
>   Line / Col:     367 / 0
>   Context:        conn . java.sql.Connection.close ()
>     -----------------------------------
>   Name:           com.ecyrd.jspwiki.auth.user.JDBCUserDatabase.initialize(com.ecyrd.jspwiki.WikiEngine;java.util.Properties):void
>   Type:           Vulnerability.AppDOS.ConnectionClose
>   Severity:       Medium
>   Classification: Vulnerability
>   File Name:      Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\user\JDBCUserDatabase.java
>   Line / Col:     412 / 0
>   Context:        conn . java.sql.Connection.close ()
>     -----------------------------------

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira