You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Aleksander Adamowski (JIRA)" <de...@myfaces.apache.org> on 2007/12/12 15:18:43 UTC

[jira] Created: (TRINIDAD-866) Security: Trinidad reveals sensitive information about software versions in generated HTML comments

Security: Trinidad reveals sensitive information about software versions in generated HTML comments
---------------------------------------------------------------------------------------------------

                 Key: TRINIDAD-866
                 URL: https://issues.apache.org/jira/browse/TRINIDAD-866
             Project: MyFaces Trinidad
          Issue Type: Bug
    Affects Versions: 1.0.2-plugins
         Environment: JBoss 4.2.0.GA_CP01 on Red Hat
            Reporter: Aleksander Adamowski


In the output HTML generated by Trinidad, one can discover the following comments:

<!--Created by Apache Trinidad (Apache MyFaces Trinidad API - 1.0.2/Apache MyFaces Trinidad Impl - 1.0.2), skin:beach.desktop (beach)-->

Outputting this kind of information qualifies as sensitive information leak, as it reveals detailed information about software configuration of the application server's component and can be used by potential attacker to his advantage.

No intormation in the documentation was found as to whether this disclosure can be disabled.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (TRINIDAD-866) Security: Trinidad reveals sensitive information about software versions in generated HTML comments

Posted by "Kunal (JIRA)" <de...@myfaces.apache.org>.

    [ https://issues.apache.org/jira/browse/TRINIDAD-866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12718596#action_12718596 ] 

Kunal commented on TRINIDAD-866:
--------------------------------

I am interested in a fix for 

<!--Created by Apache Trinidad (Apache MyFaces Trinidad API - 1.0.2/Apache MyFaces Trinidad Impl - 1.0.2), skin:beach.desktop (beach)-->

but, I am surprised that no one has watched or voted for this for about 1.5 years

> Security: Trinidad reveals sensitive information about software versions in generated HTML comments
> ---------------------------------------------------------------------------------------------------
>
>                 Key: TRINIDAD-866
>                 URL: https://issues.apache.org/jira/browse/TRINIDAD-866
>             Project: MyFaces Trinidad
>          Issue Type: Bug
>    Affects Versions: 1.0.2-plugins
>         Environment: JBoss 4.2.0.GA_CP01 on Red Hat
>            Reporter: Aleksander Adamowski
>
> In the output HTML generated by Trinidad, one can discover the following comments:
> <!--Created by Apache Trinidad (Apache MyFaces Trinidad API - 1.0.2/Apache MyFaces Trinidad Impl - 1.0.2), skin:beach.desktop (beach)-->
> Outputting this kind of information qualifies as sensitive information leak, as it reveals detailed information about software configuration of the application server's component and can be used by potential attacker to his advantage.
> No intormation in the documentation was found as to whether this disclosure can be disabled.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (TRINIDAD-866) Security: Trinidad reveals sensitive information about software versions in generated HTML comments

Posted by "Aleksander Adamowski (JIRA)" <de...@myfaces.apache.org>.

    [ https://issues.apache.org/jira/browse/TRINIDAD-866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12550979 ] 

Aleksander Adamowski commented on TRINIDAD-866:
-----------------------------------------------

Also, when a database access error occurs, myfaces outputs sensitive data to the attacker (user) instead of to the server logs:

Error 500: .myfaces.trinidadinternal.
oracle.uix=0^^GMT+1:00;
Błąd : ORA-06502: PL/SQL
inne


This is VERY BAD security practice.

> Security: Trinidad reveals sensitive information about software versions in generated HTML comments
> ---------------------------------------------------------------------------------------------------
>
>                 Key: TRINIDAD-866
>                 URL: https://issues.apache.org/jira/browse/TRINIDAD-866
>             Project: MyFaces Trinidad
>          Issue Type: Bug
>    Affects Versions: 1.0.2-plugins
>         Environment: JBoss 4.2.0.GA_CP01 on Red Hat
>            Reporter: Aleksander Adamowski
>
> In the output HTML generated by Trinidad, one can discover the following comments:
> <!--Created by Apache Trinidad (Apache MyFaces Trinidad API - 1.0.2/Apache MyFaces Trinidad Impl - 1.0.2), skin:beach.desktop (beach)-->
> Outputting this kind of information qualifies as sensitive information leak, as it reveals detailed information about software configuration of the application server's component and can be used by potential attacker to his advantage.
> No intormation in the documentation was found as to whether this disclosure can be disabled.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.