Idea Details

Security Issues with Error Messages

Last activity 07-25-2017 09:39 AM
SamCreek's profile image
08-05-2016 04:38 PM

Summary:

Essentially the concern is that upon errors TEWS provides unneeded information to the client which can later be abused to harm the server. Errors carry information like host names, ports, functions, methods, code package names, stack traces etc. – all of which may support a harmful client to fish for information from the server so it can subsequently abuse it against the server.

Impact:

 

 

Detailed technical error messages can allow an attacker to gain information about the application and database that could be used to conduct an attack. This information could include the names of database tables and columns, the structure of database queries, method names, configuration details, etc.

 

Details:

 

This can be reproduced easily by sending a malformed request to the endpoint. This yields a detailed (500) error message which leaks server name, version and other details.

What we are asking for is to have a generic error message that provides no valuable info such as: “TEWS Error” and nothing else.

What should still be the same:

Form invalidation responses may still return errors with specific strings which give more information for eg. duplicate user id.

Remediation Suggested:

These errors may be logged to a separate file instead of being thrown out to the client so that we may still be able to understand the cause for debug.


Comments

07-25-2017 09:39 AM

CA Identity Suite 14.1 is now available and contains this fix