Opened at 2010-03-27T22:08:47Z
Last modified at 2013-01-14T09:08:14Z
#1008 new defect
Unhandeled error conditions disclose detailed information — at Initial Version
| Reported by: | duck | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | eventually |
| Component: | code-frontend-web | Version: | 1.6.1 |
| Keywords: | wui security privacy anonymity logging error anti-censorship | Cc: | |
| Launchpad Bug: |
Description
A number of verbose error messages, including stack traces, are displayed to users of the WUI when an unexpected error condition is encountered.
Vulnerability issue and impact
Detailed error data could be useful to attackers and maybe be confusing to users of the system. Confused users have a higher chance of making security mistakes.
Difficulty to exploit: low.
Penetration tests typically rank this class of vulnerability as medium risk.
Resolution recommendations
Do not include detailed error messages when an unexpected error is caught and return to the user. Rather return a generic error message, that doesn't give any sensitive information to the user. Log details of the error condition to a log file for later investigation.
Change History (2)
Changed at 2010-03-27T22:26:41Z by duck
Changed at 2010-03-27T22:26:53Z by duck
Example 2 of Unhandeled error conditions disclose detailed information in WUI
Example 1 of Unhandeled error conditions disclose detailed information in WUI