[jira] [Commented] (CB-12431) Information Exposure Through an Error Message

Mon, 20 Mar 2017 11:13:13 -0700 

    [ 
https://issues.apache.org/jira/browse/CB-12431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15933219#comment-15933219
 ] 

Joe Bowser commented on CB-12431:
---------------------------------

Can you provide more information, namely where we're calling printStackTrace?  
This could literally be in the core framework or any of the plugins.  If we 
don't get more information regarding this issue, we're going to close it, since 
security tools often produce false positives that we can't actually find.

> Information Exposure Through an Error Message 
> ----------------------------------------------
>
>                 Key: CB-12431
>                 URL: https://issues.apache.org/jira/browse/CB-12431
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Android
>            Reporter: Sahil
>
> During VARACODE Static Scan for the Cordova based android App has the 
> foloowing Flaw
> Attack Vector: java.lang.Throwable.printStackTrace
> Description:  The application calls the java.lang.Throwable.printStackTrace() 
> function, which may expose information about the application logic or other 
> details such as the names and versions of the application container and 
> associated components. This information can be useful in executing other 
> attacks and can also enable the attacker to target known vulnerabilities in 
> application components. The first argument to printStackTrace() contains data 
> from an error message (possibly containing user-specified or database data) 
> from the variables (new PrintWriter(...)). The data from an error message 
> (possibly containing user-specified or database data) originated from an 
> earlier call to java.lang.exception.printstacktrace.
> Remediation: Ensure that error codes or other messages returned to end users 
> are not overly verbose. Sanitize all messages of any sensitive information 
> that is not absolutely necessary.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org

Reply via email to