[
https://issues.apache.org/jira/browse/TRINIDAD-866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12550979
]
Aleksander Adamowski commented on TRINIDAD-866:
-----------------------------------------------
Also, when a database access error occurs, myfaces outputs sensitive data to
the attacker (user) instead of to the server logs:
Error 500: .myfaces.trinidadinternal.
oracle.uix=0^^GMT+1:00;
Błąd : ORA-06502: PL/SQL
inne
This is VERY BAD security practice.
> Security: Trinidad reveals sensitive information about software versions in
> generated HTML comments
> ---------------------------------------------------------------------------------------------------
>
> Key: TRINIDAD-866
> URL: https://issues.apache.org/jira/browse/TRINIDAD-866
> Project: MyFaces Trinidad
> Issue Type: Bug
> Affects Versions: 1.0.2-plugins
> Environment: JBoss 4.2.0.GA_CP01 on Red Hat
> Reporter: Aleksander Adamowski
>
> In the output HTML generated by Trinidad, one can discover the following
> comments:
> <!--Created by Apache Trinidad (Apache MyFaces Trinidad API - 1.0.2/Apache
> MyFaces Trinidad Impl - 1.0.2), skin:beach.desktop (beach)-->
> Outputting this kind of information qualifies as sensitive information leak,
> as it reveals detailed information about software configuration of the
> application server's component and can be used by potential attacker to his
> advantage.
> No intormation in the documentation was found as to whether this disclosure
> can be disabled.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
