[tahoe-lafs-trac-stream] [tahoe-lafs] #1008: Unhandled error conditions disclose detailed information

tahoe-lafs trac at tahoe-lafs.org
Mon Jan 14 09:08:14 UTC 2013 

#1008: Unhandled error conditions disclose detailed information
-------------------------+-------------------------------------------------
     Reporter:  duck     |      Owner:
         Type:  defect   |     Status:  new
     Priority:  major    |  Milestone:  eventually
    Component:  code-    |    Version:  1.6.1
  frontend-web           |   Keywords:  wui security privacy anonymity
   Resolution:           |  logging error anti-censorship
Launchpad Bug:           |
-------------------------+-------------------------------------------------
Description changed by zooko:

Old description:

> A number of verbose error messages, including stack traces, are displayed
> to users of the WUI when an unexpected error condition is encountered.
>
> == Vulnerability issue and impact ==
>
> Detailed error data could be useful to attackers and maybe be confusing
> to users of the system. Confused users have a higher chance of making
> security mistakes.
>
> Difficulty to exploit: '''low'''.[[BR]]
> Penetration tests typically rank this class of vulnerability as '''medium
> risk'''.
>
> == Resolution recommendations ==
>
> Do not include detailed error messages when an unexpected error is caught
> and return to the user. Rather return a generic error message, that
> doesn't give any sensitive information to the user. Log details of the
> error condition to a log file for later investigation.

New description:

 A number of verbose error messages, including stack traces, are displayed
 to users of the WUI when an unexpected error condition is encountered.

 == Vulnerability issue and impact ==

 Detailed error data could be useful to attackers and maybe be confusing to
 users of the system. Confused users have a higher chance of making
 security mistakes.

 Difficulty to exploit: '''low'''.[[BR]]
 Penetration tests typically rank this class of vulnerability as '''medium
 risk'''.

 == Resolution recommendations ==

 Do not include detailed error messages when an unexpected error is caught
 and return to the user. Rather return a generic error message, that
 doesn't give any sensitive information to the user. Log details of the
 error condition to a log file for later investigation.

  This is part of a cluster of tickets including: #562, #563, #685, #1008,
 #1720, and #1904.

--

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1008#comment:10>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list