Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 359579

Summary: [Webapp] Stack trace displayed in help system for incorrect nav param value
Product: [Eclipse Project] Platform Reporter: steilhet
Component: User AssistanceAssignee: Chris Goldthorpe <cgold>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: cgold, steilhet
Version: 4.2   
Target Milestone: 3.8 M3   
Hardware: PC   
OS: Windows XP   
Whiteboard:

Description steilhet CLA 2011-09-30 11:36:37 EDT 
Build Identifier: 3.3.100.v20080521

When the nav parameter value is null or empty or an invalid character (\"  \'  ;) then a stack trace is displayed in the help browser. Stack traces should not be displayed to a user since this can be considered a security risk. Rather, a generic error page should be displayed

Using the following url (note that the port number will change):
http://localhost:2146/help/advanced/help.jsp?nav=

Note that these 3 urls also display this same behavior:
http://localhost:2146/help/advanced/content.jsp?nav=
http://localhost:2146/help/index.jsp?nav=

There may be other urls that also display this behavior.

where the value for nav could be:
    {blank or empty string}
    %00
    \"
    \'
    \
    ;

Will produce this request:
    GET /help/advanced/help.jsp?nav= HTTP/1.0
    Cookie: JSESSIONID=18rzut7vznm1523esa1pv9kndz; synchToc=true
    Accept: */*
    Accept-Language: en-US
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
    Host: localhost:2146
    Referer: http://localhost:2146/help/index.jsp?nav=/0
    
    
Which then produces this response:

HTTP/1.1 500 Internal Server Error
Content-Length: 3250
Content-Type: text/html; charset=iso-8859-1
Cache-Control: must-revalidate,no-cache,no-store
Server: Jetty(6.1.x)

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 500 INTERNAL_SERVER_ERROR</title>
</head>
<body><h2>HTTP ERROR 500</h2>
<p>Problem accessing /help/nav. Reason:
<pre>    INTERNAL_SERVER_ERROR</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
    at org.eclipse.help.internal.webapp.servlet.NavServlet.doGet(NavServlet.java:56)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
    at org.eclipse.equinox.http.registry.internal.ServletManager$ServletWrapper.service(ServletManager.java:180)
    at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:126)
    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
    at org.eclipse.equinox.http.jetty.internal.HttpServerManager$InternalHttpServiceServlet.service(HttpServerManager.java:318)
    at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:484)
    at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:390)
    at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
    at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
    at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
    at org.mortbay.jetty.Server.handle(Server.java:326)
    at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
    at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:924)
    at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:549)
    at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
    at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
    at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
    at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
</pre>
<hr /><i><small>Powered by Jetty://</small></i>
</body>
</html>


The stack trace should be suppressed.

Reproducible: Always

Steps to Reproduce:
1. Use the url:  http://localhost:2146/help/advanced/help.jsp?nav=
   Where the nav para is either blank or %00 or \" or \' or \ or ;
2. The stack trace should be displayed
Comment 1 Chris Goldthorpe CLA 2011-09-30 13:57:31 EDT 
I don't see this as a security risk since the lines all come from open source software but I agree that it does not look good from the users perspective and it would be better to display an error page.
Comment 2 steilhet CLA 2011-09-30 15:11:15 EDT 
Actually, this is one of the OWASP top 10 issues "A6-Security Misconfiguration". (https://www.owasp.org/index.php/Top_10_2010-A6). From their site:
"Scenario #4: App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers love the extra information error messages provide."

Also see:  https://www.owasp.org/index.php/Error_Handling

The idea is that you don't want to give away any information to an attacker such as:

- Language used
- Frameworks used
- Technology used
- What the exact error is (null pointer in this case)
- file names
- directory names
- 3rd party components used

Any of this can be used by an attacker to hone their attack not just on the help system, but possibly on other components of the system as well. In this case the security research team believes that this particular bug is a low risk potential vulnerability, however, they do believe that it needs to be fixed in order to ensure that it is never used by an attacker in any way to gain extra knowledge about the system.
Comment 3 Chris Goldthorpe CLA 2011-10-03 14:49:19 EDT 
A fix has been committed to master with commit message:

Bug 359579 - [Webapp] Stack trace displayed in help system for incorrect nav param value