Community
Participate
Working Groups
Build Identifier: 3.3.100.v20080521 When the nav parameter value is null or empty or an invalid character (\" \' ;) then a stack trace is displayed in the help browser. Stack traces should not be displayed to a user since this can be considered a security risk. Rather, a generic error page should be displayed Using the following url (note that the port number will change): http://localhost:2146/help/advanced/help.jsp?nav= Note that these 3 urls also display this same behavior: http://localhost:2146/help/advanced/content.jsp?nav= http://localhost:2146/help/index.jsp?nav= There may be other urls that also display this behavior. where the value for nav could be: {blank or empty string} %00 \" \' \ ; Will produce this request: GET /help/advanced/help.jsp?nav= HTTP/1.0 Cookie: JSESSIONID=18rzut7vznm1523esa1pv9kndz; synchToc=true Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: localhost:2146 Referer: http://localhost:2146/help/index.jsp?nav=/0 Which then produces this response: HTTP/1.1 500 Internal Server Error Content-Length: 3250 Content-Type: text/html; charset=iso-8859-1 Cache-Control: must-revalidate,no-cache,no-store Server: Jetty(6.1.x) <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/> <title>Error 500 INTERNAL_SERVER_ERROR</title> </head> <body><h2>HTTP ERROR 500</h2> <p>Problem accessing /help/nav. Reason: <pre> INTERNAL_SERVER_ERROR</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException at org.eclipse.help.internal.webapp.servlet.NavServlet.doGet(NavServlet.java:56) at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at org.eclipse.equinox.http.registry.internal.ServletManager$ServletWrapper.service(ServletManager.java:180) at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:126) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at org.eclipse.equinox.http.jetty.internal.HttpServerManager$InternalHttpServiceServlet.service(HttpServerManager.java:318) at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:484) at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:390) at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182) at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765) at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) at org.mortbay.jetty.Server.handle(Server.java:326) at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542) at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:924) at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:549) at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212) at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404) at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409) at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582) </pre> <hr /><i><small>Powered by Jetty://</small></i> </body> </html> The stack trace should be suppressed. Reproducible: Always Steps to Reproduce: 1. Use the url: http://localhost:2146/help/advanced/help.jsp?nav= Where the nav para is either blank or %00 or \" or \' or \ or ; 2. The stack trace should be displayed
I don't see this as a security risk since the lines all come from open source software but I agree that it does not look good from the users perspective and it would be better to display an error page.
Actually, this is one of the OWASP top 10 issues "A6-Security Misconfiguration". (https://www.owasp.org/index.php/Top_10_2010-A6). From their site: "Scenario #4: App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers love the extra information error messages provide." Also see: https://www.owasp.org/index.php/Error_Handling The idea is that you don't want to give away any information to an attacker such as: - Language used - Frameworks used - Technology used - What the exact error is (null pointer in this case) - file names - directory names - 3rd party components used Any of this can be used by an attacker to hone their attack not just on the help system, but possibly on other components of the system as well. In this case the security research team believes that this particular bug is a low risk potential vulnerability, however, they do believe that it needs to be fixed in order to ensure that it is never used by an attacker in any way to gain extra knowledge about the system.
A fix has been committed to master with commit message: Bug 359579 - [Webapp] Stack trace displayed in help system for incorrect nav param value
