[ROL-2106] Nessus flagged 'Web Application Information Disclosure' - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Trivial
Resolution: Unresolved
Affects Version/s: 5.1.2
Fix Version/s: None
Component/s: None
Labels:
None

Browser Version:
chrome

Description

Hello,

Our Nessus scan picked up a 'Web Application Information Disclosure' issue with Apache Roller version 5.1.2.

You can added information into a request and the result is not an error. Specifically, you can add on GET request params to the HTTP request and the requested page will display with no error message (see examples below). The issue appears to be minor and doesn't seem to affect the outcome of the page results (just shows the page as normal). However, it hints that something isn't being checked on the backend and perhaps could be exploited in some way. Also, your users who run a Nessus scanner will have this flagged as a medium-level issue and that may cause some discomfort to sys admins and security admins.

To reproduce (using your own blog):

http://rollerweblogger.org/project/entry/apache-roller-5-1-2?page=convert(varchar,0x7b5d)

http://rollerweblogger.org/project/entry/apache-roller-5-1-2?page=apache-roller-5-1-2.html

http://rollerweblogger.org/project/entry/apachAWIPS%2bIIe-roller-5-1-2?page=1'%20AND%20SLEEP(3)='

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Jennifer Oxelson

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 31/Oct/16 17:44

Updated:: 17/Sep/23 21:09