You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Florian Holeczek (JIRA)" <ji...@apache.org> on 2011/09/11 01:35:09 UTC
[jira] [Closed] (JSPWIKI-82) Ounce Labs Security Finding: DOS -
Database Connection Close MisUse Pattern
[ https://issues.apache.org/jira/browse/JSPWIKI-82?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Florian Holeczek closed JSPWIKI-82.
-----------------------------------
> Ounce Labs Security Finding: DOS - Database Connection Close MisUse Pattern
> ----------------------------------------------------------------------------
>
> Key: JSPWIKI-82
> URL: https://issues.apache.org/jira/browse/JSPWIKI-82
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication&Authorization
> Affects Versions: 2.4.104
> Reporter: Cristian Borlovan
> Assignee: Andrew Jaquith
> Fix For: 2.6.0
>
> Attachments: report.pdf
>
>
> Description:
> The application does not close its database connections properly. Typical best practices indicate the try/catch/finally pattern, where the close connections are in the finally block.
> Recommendation:
> Follow the appropriate database connection close pattern to avoid potential DOS vectors.
> Related Code Locations:
> 4 findings:
> Name: com.ecyrd.jspwiki.auth.authorize.JDBCGroupDatabase.initialize(com.ecyrd.jspwiki.WikiEngine;java.util.Properties):void
> Type: Vulnerability.AppDOS.ConnectionClose
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\authorize\JDBCGroupDatabase.java
> Line / Col: 387 / 0
> Context: conn . java.sql.Connection.close ()
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.user.JDBCUserDatabase.initialize(com.ecyrd.jspwiki.WikiEngine;java.util.Properties):void
> Type: Vulnerability.AppDOS.ConnectionClose
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\user\JDBCUserDatabase.java
> Line / Col: 432 / 0
> Context: conn . java.sql.Connection.close ()
> Notes: Description:
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.authorize.JDBCGroupDatabase.initialize(com.ecyrd.jspwiki.WikiEngine;java.util.Properties):void
> Type: Vulnerability.AppDOS.ConnectionClose
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\authorize\JDBCGroupDatabase.java
> Line / Col: 367 / 0
> Context: conn . java.sql.Connection.close ()
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.user.JDBCUserDatabase.initialize(com.ecyrd.jspwiki.WikiEngine;java.util.Properties):void
> Type: Vulnerability.AppDOS.ConnectionClose
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\user\JDBCUserDatabase.java
> Line / Col: 412 / 0
> Context: conn . java.sql.Connection.close ()
> -----------------------------------
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira