Security: Trinidad reveals sensitive information about software versions in
generated HTML comments
---------------------------------------------------------------------------------------------------
Key: TRINIDAD-866
URL: https://issues.apache.org/jira/browse/TRINIDAD-866
Project: MyFaces Trinidad
Issue Type: Bug
Affects Versions: 1.0.2-plugins
Environment: JBoss 4.2.0.GA_CP01 on Red Hat
Reporter: Aleksander Adamowski
In the output HTML generated by Trinidad, one can discover the following
comments:
<!--Created by Apache Trinidad (Apache MyFaces Trinidad API - 1.0.2/Apache
MyFaces Trinidad Impl - 1.0.2), skin:beach.desktop (beach)-->
Outputting this kind of information qualifies as sensitive information leak, as
it reveals detailed information about software configuration of the application
server's component and can be used by potential attacker to his advantage.
No intormation in the documentation was found as to whether this disclosure can
be disabled.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
