AnsweredAssumed Answered

security scan reports database error message

Question asked by rajeshdk on May 5, 2014
Hi,

Ran HP Web inspect security scan on our alfresco share 4.1.2 environment hosted on jboss 5.1.1 and oracle. Scan report has "Database Server Error message" marked as CRITICAL.

Please refer the below given custom cookie with parameter 'pageParams' and value '*'. Web Inspect used this to generated the 500 internal server error. This error response also has oracle error information "SQLIntegrityConstraintViolationException" which should not be sent in the response to the client.

That is why the scan detected this as a critical vulnerability because hackers can exploit this database information to attack.  

My solution to this issue is

* do not send error response to client instead send a custom error message. Also log the full error details in the log.

I understand the response can be either html or json. for html probably the solution is to customize error page. But I am not sure for json how to achieve the same.

Any thoughts?

Thanks in advance

———————————-
Error message and response details
———————————-

Database Server Error Message ( 742 )

Page: http://host:
80/share/proxy/alfresco/api/node/workspace/SpacesStore/602b72e5-e365-4eee-b68d-b3dd26270ee3/comments
Parameter: $.pageParams

AttackType="PostSubParamInjection";

CustomCookie=WebInspect95369ZX3A29A0BBD44D4F40AED1EEBEA516AA00YD4AF;JSESSION
ID=72F2609F1BED9416C67E5D614C06AE61;alfLogin=1396699821;alfUsername2=Y2ZyLnJ
lYWQ=
{"site":"swsdp","content":"<p>12345</p>","itemTitle":"Web Design and
Applications","page":"linksview","
pageParams":"*"}

Response:
HTTP/1.1 500 Internal Server Error
SXeProvewer:
r eAdpBacy:
h eSCeorvyloetet
/12..15; JBoss5.0


…TRUNCATED…java.sql.SQLIntegrityConstraintViolationException: ORA00001:
unique constraint (ALFRESCO.PARENT_NODE_ID)
viol…TRUNCATED…java.sql.SQLIntegrityConstraintViolationException: ORA00001:
unique constraint (ALFRESCO.PARENT_NODE_ID)

Outcomes