search

synchronoss / cpo-api

Class Persistence Object (CPO) Application Programming Interface (API).
GNU Lesser General Public License v2.1
3 stars 3 forks source link

Security Vulnerability: Sensitive Information Leakage #29

Closed bsmedley closed 8 years ago

bsmedley commented 8 years ago

Full stack trace thrown and displayed on screen. see attached screenshot Stack trace is printed from cpo-core: [jar:org.synchronoss.cpo:cpo-core:5.1.1] to [lib/cpo-core-5.1.1.jar] org.synchronoss.cpo.exporter.XmlExporterServlet public void doPost... } catch (Exception e) { response.setContentType(HTML_CONTENT_TYPE); pw.println("ERROR

Error generating xml: 

"); e.printStackTrace(pw); pw.println("

"); } screen shot 2016-04-22 at 15 06 13

berryware commented 8 years ago

Do you just want the stack trace removed? Are you good with it saying that no meta descriptor is defined?

bsmedley commented 8 years ago

Yeah that’s what we did for other internal errors. This came out of a pen test GIS had done.

From: berryware notifications@github.com Reply-To: synchronoss/cpo-api reply@reply.github.com Date: Thursday, June 16, 2016 at 11:57 AM To: synchronoss/cpo-api cpo-api@noreply.github.com Cc: bsmedley bip.smedley@gmail.com, Author author@noreply.github.com Subject: Re: [synchronoss/cpo-api] Security Vulnerability: Sensitive Information Leakage (#29)

Do you just want the stack trace removed? Are you good with it saying that no meta descriptor is defined?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

berryware commented 8 years ago

Fixed and merged