[SECURITY] Technical information disclosure in stack traces of error pages #5318

mlarcelet · 2022-07-29T09:32:08Z

Describe the security issue
The application discloses technical internal information about the technologies or components used in
the error pages. CWE-209,CWE-200

Vulnerability Location
Stack traces on MirthConnect web portal and API

Environment

OS: Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-122-generic x86_64)
Java Distribution/Version : OpenJDK Runtime Environment (build 1.8.0_312-8u312-b07-0ubuntu1~20.04-b07)
Connect Version : 4.01

Suggested remediation
Review the configuration of the application to prevent stack traces.
Declare default error page for a specific error code in the WEB-INF/web.xml configuration file

Jetty Create Custom error pages
OWASP Error handling cheat sheet
OWASP Web Security Testing Guide - Information gathering step
PortSwigger Information disclosure vulnerabilities

mlarcelet added the Security label Jul 29, 2022

lmillergithub added triaged Internal-Issue-Created An issue has been created in NextGen's internal issue tracker RS-9012 labels Aug 3, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SECURITY] Technical information disclosure in stack traces of error pages #5318

[SECURITY] Technical information disclosure in stack traces of error pages #5318

mlarcelet commented Jul 29, 2022

[SECURITY] Technical information disclosure in stack traces of error pages #5318

[SECURITY] Technical information disclosure in stack traces of error pages #5318

Comments

mlarcelet commented Jul 29, 2022